Skip to content

Instantly share code, notes, and snippets.

@evsrt

evsrt/ssh-hardening.sh

Forked from ciro-mota/ssh-hardening.sh
Created June 10, 2024 18:51
Show Gist options
  • Save evsrt/5bead959e7ac946ea61656b37f009610 to your computer and use it in GitHub Desktop.
Save evsrt/5bead959e7ac946ea61656b37f009610 to your computer and use it in GitHub Desktop.
Download ZIP
SSH Hardening Script
Raw
ssh-hardening.sh
#!/bin/bash
# SSH Hardenning Script
# Created By Dimas Restu Hidayanto (dimas.restu@student.upi.edu)
# Edited By Ciro Mota
echo "--------------------------------------"
echo "SSH Hardening"
echo "dimas.restu@student.upi.edu"
echo "--------------------------------------"
echo ""
echo "Escalating Privilage..."
echo "Checking escalation privilage."
if [ $UID != 0 ]; then
echo "Sorry. Only the ROOT user can run this program!"
echo "[FAILED]"
exit 0
fi
echo "[DONE]"
echo ""
echo "SSH Policies Hardening..."
echo " - Backing-up current configuration file."
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
echo " - Changing value Protocol to 2."
if [ $(cat /etc/ssh/sshd_config | grep Protocol | wc -l) -eq 0 ]; then
echo "Protocol 2" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#Protocol [a-zA-Z0-9]*/s/#Protocol [a-zA-Z0-9]*/Protocol 2/' /etc/ssh/sshd_config
sed -i -e '1,/Protocol [a-zA-Z0-9]*/s/Protocol [a-zA-Z0-9]*/Protocol 2/' /etc/ssh/sshd_config
fi
echo " - Changing value PermitUserEnvironment to no."
if [ $(cat /etc/ssh/sshd_config | grep PermitUserEnvironment | wc -l) -eq 0 ]; then
echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#PermitUserEnvironment [a-zA-Z0-9]*/s/#PermitUserEnvironment [a-zA-Z0-9]*/PermitUserEnvironment no/' /etc/ssh/sshd_config
sed -i -e '1,/PermitUserEnvironment [a-zA-Z0-9]*/s/PermitUserEnvironment [a-zA-Z0-9]*/PermitUserEnvironment no/' /etc/ssh/sshd_config
fi
echo " - Changing value PermitEmptyPasswords to No."
if [ $(cat /etc/ssh/sshd_config | grep PermitEmptyPasswords | wc -l) -eq 0 ]; then
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#PermitEmptyPasswords [a-zA-Z0-9]*/s/#PermitEmptyPasswords [a-zA-Z0-9]*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i -e '1,/PermitEmptyPasswords [a-zA-Z0-9]*/s/PermitEmptyPasswords [a-zA-Z0-9]*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
fi
echo " - Changing value MaxAuthTries to 6."
if [ $(cat /etc/ssh/sshd_config | grep MaxAuthTries | wc -l) -eq 0 ]; then
echo "MaxAuthTries 6" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#MaxAuthTries [a-zA-Z0-9]*/s/#MaxAuthTries [a-zA-Z0-9]*/MaxAuthTries 6/' /etc/ssh/sshd_config
sed -i -e '1,/MaxAuthTries [a-zA-Z0-9]*/s/MaxAuthTries [a-zA-Z0-9]*/MaxAuthTries 6/' /etc/ssh/sshd_config
fi
echo " - Changing value LoginGraceTime to 2m."
if [ $(cat /etc/ssh/sshd_config | grep LoginGraceTime | wc -l) -eq 0 ]; then
echo "LoginGraceTime 2m" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#LoginGraceTime [a-zA-Z0-9]*/s/#LoginGraceTime [a-zA-Z0-9]*/LoginGraceTime 2m/' /etc/ssh/sshd_config
sed -i -e '1,/LoginGraceTime [a-zA-Z0-9]*/s/LoginGraceTime [a-zA-Z0-9]*/LoginGraceTime 2m/' /etc/ssh/sshd_config
fi
echo " - Changing value ClientAliveInterval to 2m."
if [ $(cat /etc/ssh/sshd_config | grep ClientAliveInterval | wc -l) -eq 0 ]; then
echo "ClientAliveInterval 2m" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#ClientAliveInterval [a-zA-Z0-9]*/s/#ClientAliveInterval [a-zA-Z0-9]*/ClientAliveInterval 2m/' /etc/ssh/sshd_config
sed -i -e '1,/ClientAliveInterval [a-zA-Z0-9]*/s/ClientAliveInterval [a-zA-Z0-9]*/ClientAliveInterval 2m/' /etc/ssh/sshd_config
fi
echo " - Changing value LogLevel to VERBOSE."
if [ $(cat /etc/ssh/sshd_config | grep LogLevel | wc -l) -eq 0 ]; then
echo "LogLevel VERBOSE" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#LogLevel [a-zA-Z0-9]*/s/#LogLevel [a-zA-Z0-9]*/LogLevel VERBOSE/' /etc/ssh/sshd_config
sed -i -e '1,/LogLevel [a-zA-Z0-9]*/s/LogLevel [a-zA-Z0-9]*/LogLevel VERBOSE/' /etc/ssh/sshd_config
fi
echo " - Changing value AllowTcpForwarding to no."
if [ $(cat /etc/ssh/sshd_config | grep AllowTcpForwarding | wc -l) -eq 0 ]; then
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#AllowTcpForwarding [a-zA-Z0-9]*/s/#AllowTcpForwarding [a-zA-Z0-9]*/AllowTcpForwarding no/' /etc/ssh/sshd_config
sed -i -e '1,/AllowTcpForwarding [a-zA-Z0-9]*/s/AllowTcpForwarding [a-zA-Z0-9]*/AllowTcpForwarding no/' /etc/ssh/sshd_config
fi
echo " - Changing value AllowAgentForwarding to no."
if [ $(cat /etc/ssh/sshd_config | grep AllowAgentForwarding | wc -l) -eq 0 ]; then
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#AllowAgentForwarding [a-zA-Z0-9]*/s/#AllowAgentForwarding [a-zA-Z0-9]*/AllowAgentForwarding no/' /etc/ssh/sshd_config
sed -i -e '1,/AllowAgentForwarding [a-zA-Z0-9]*/s/AllowAgentForwarding [a-zA-Z0-9]*/AllowAgentForwarding no/' /etc/ssh/sshd_config
fi
echo " - Changing value PermitTunnel to no."
if [ $(cat /etc/ssh/sshd_config | grep PermitTunnel | wc -l) -eq 0 ]; then
echo "PermitTunnel no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#PermitTunnel [a-zA-Z0-9]*/s/#PermitTunnel [a-zA-Z0-9]*/PermitTunnel no/' /etc/ssh/sshd_config
sed -i -e '1,/PermitTunnel [a-zA-Z0-9]*/s/PermitTunnel [a-zA-Z0-9]*/PermitTunnel no/' /etc/ssh/sshd_config
fi
echo " - Changing value X11Forwarding to no."
if [ $(cat /etc/ssh/sshd_config | grep X11Forwarding | wc -l) -eq 0 ]; then
echo "X11Forwarding no" >> /etc/ssh/sshd_config
else
sed -i -e '1,/#X11Forwarding [a-zA-Z0-9]*/s/#X11Forwarding [a-zA-Z0-9]*/X11Forwarding no/' /etc/ssh/sshd_config
sed -i -e '1,/X11Forwarding [a-zA-Z0-9]*/s/X11Forwarding [a-zA-Z0-9]*/X11Forwarding no/' /etc/ssh/sshd_config
fi
echo " - Disable motd Message."
sed -i '/pam_motd.so/ s/^/#/' /etc/pam.d/sshd
echo " - Changing SSH Daemon Configuraion File Permissions."
chmod 600 /etc/ssh/sshd_config
echo " - Restarting SSH Daemon."
systemctl restart sshd
echo "[DONE]"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment