sudo yum install -y epel-release
sudo yum install -y snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
Usage
sudo snap install lsd
export PATH=$PATH:/snap/bin/
# Usage | |
# bash <(cat sshd_config.sh) | |
# bash <(cat sshd_config.sh) 2022 | |
SSHD_CONFIG_PATH=/etc/ssh/sshd_config | |
PERMIT_ROOT_LOGIN=without-password | |
SSHD_PORT=${1:-2022} | |
# Check Sudoer right | |
if ! sudo -v >/dev/null 2>&1; then | |
echo "⛔ Need to be run in sudo ⛔" | |
exit | |
fi | |
# Final Check | |
success() { | |
echo -e "\e[30;48;5;82m OK \e[0m $1" | |
} | |
error() { | |
echo -e "\e[97;48;5;124m ER \e[0m $1" | |
} | |
checkSum() { | |
if grep -qe "$1" $SSHD_CONFIG_PATH; then | |
success "$2" | |
else | |
error "$2" | |
fi | |
} | |
FWDZ=$(firewall-cmd --get-default-zone) | |
firewall-cmd --quiet --zone=$FWDZ --permanent --add-forward-port=port=$SSHD_PORT:proto=tcp:toport=22 | |
firewall-cmd --quiet --zone=$FWDZ --permanent --remove-service=ssh | |
firewall-cmd --quiet --zone=$FWDZ --permanent --add-masquerade --panic-off | |
firewall-cmd --quiet --reload | |
if firewall-cmd --zone=public --list-services | grep "ssh"; then | |
error "Port 22 - still opened" | |
else | |
success "Port 22 - Closed" | |
fi | |
if firewall-cmd --quiet --zone=$FWDZ --query-forward-port=port=$SSHD_PORT:proto=tcp:toport=22; then | |
success "Port 2022 - Forward to 22" | |
else | |
error "Port 2022 - Forward to 22" | |
fi | |
# Change default Port 2022 | |
# if grep -qe "^Port" $SSHD_CONFIG_PATH; then | |
# if ! grep -qe "^Port $SSHD_PORT" $SSHD_CONFIG_PATH; then | |
# sed -i -E "s/Port [0-9]+/Port 2022/" $SSHD_CONFIG_PATH | |
# echo "Replaced Port" | |
# firewall-cmd --zone=public --permanent --add-forward-port=port=2022:proto=tcp:toport=22 | |
# firewall-cmd --zone=public --permanent --add-masquerade | |
# fire | |
# fi | |
# else | |
# echo "No Port" | |
# fi | |
# checkSum "^Port $SSHD_PORT" "SSH Port default $SSHD_PORT" | |
# PermitRootLogin false | |
if grep -qe "^PermitRootLogin" $SSHD_CONFIG_PATH; then | |
sed -i "s/PermitRootLogin .*$/PermitRootLogin $PERMIT_ROOT_LOGIN/" $SSHD_CONFIG_PATH | |
else | |
echo "PermitRootLogin no" >>$SSHD_CONFIG_PATH | |
fi | |
# Deny User root | |
if grep -qe "^DenyUsers" $SSHD_CONFIG_PATH; then | |
if ! grep -qe "^DenyUsers.*root" $SSHD_CONFIG_PATH; then | |
sed -i 's/DenyUsers.*/& root/g' $SSHD_CONFIG_PATH | |
fi | |
else | |
echo "DenyUsers root" >>$SSHD_CONFIG_PATH | |
fi | |
# Disable GSSAPIAuthentication | |
if grep -qe "^GSSAPIAuthentication" $SSHD_CONFIG_PATH; then | |
sed -i "s/GSSAPIAuthentication .*$/GSSAPIAuthentication no/" $SSHD_CONFIG_PATH | |
else | |
echo "GSSAPIAuthentication no" >>$SSHD_CONFIG_PATH | |
fi | |
checkSum "^DenyUsers.*root" "DenyUsers root" | |
checkSum "^GSSAPIAuthentication no" "Disabled GSSAPIAuthentication" | |
checkSum "^PermitRootLogin $PERMIT_ROOT_LOGIN" "PermitRootLogin $PERMIT_ROOT_LOGIN" | |
if cat /etc/shadow | grep '^[^:]*:[^\*!]' | grep -qv "root:"; then | |
success "Other SSH users: $(cat /etc/shadow | grep '^[^:]*:[^\*!]' | grep -v "root:" | awk -F: '{print $1}' | tr '\n' ',' | sed 's/,$//')" | |
systemctl restart sshd | |
else | |
error "Warning! No other users" | |
echo -e " \e[210;48;5;124m !!! Do not restart SSHD before add an valid ssh user !!! \e[0m | |
Use command to check: \e[93;48;5;104m cat /etc/shadow | grep '^[^:]*:[^\*!]' | grep -qv \"root:\"\e[0m" | |
fi | |
# grep -e "^DenyUsers" $SSHD_CONFIG_PATH |