Last active
April 30, 2018 05:34
-
-
Save njdancer/417a95d117a2872b3746b0041d64589d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
INSTALL_DIR=/root | |
FAIL2BAN_SSH_PATH=/etc/fail2ban/jail.d/ssh.local | |
if [ "$(uname)" == 'Darwin' ] | |
then | |
# /root is not available on Mac OS | |
INSTALL_DIR=/usr/local | |
fi | |
SCRIPT_NAME=keys4user | |
INSTALL_PATH=$INSTALL_DIR/$SCRIPT_NAME | |
SSHD_CONF=/etc/ssh/sshd_config | |
SSH_HARDENING=1 | |
FAIL2BAN=1 | |
while getopts ":hf" OPTION | |
do | |
case $OPTION in | |
h) | |
SSH_HARDENING=0 | |
;; | |
f) | |
FAIL2BAN=0 | |
;; | |
\?) | |
echo "Used for the help menu $OPTARG" | |
exit 999 | |
;; | |
esac | |
done | |
read -r -d '' KEYS4USER <<'EOF' | |
#!/usr/bin/env bash | |
HOME_DIR=$(eval echo "~$1") | |
SSH_DIR=$HOME_DIR/.ssh | |
KEY_LOC=$SSH_DIR/key_locations | |
CACHE=$KEY_LOC.cache | |
AUTH_KEYS="" | |
which curl > /dev/null | |
if (("$?" == "0")) | |
then | |
DOWNLOAD="curl -sfL" | |
else | |
which wget > /dev/null | |
if (("$?" == "0")) | |
then | |
DOWNLOAD="wget -q -O -" | |
else | |
printf "Neither curl or wget found in path. Exiting.\n" | |
exit 9 | |
fi | |
fi | |
if [ -e "$KEY_LOC" ] | |
then | |
while read URL | |
do | |
if [ ! -z "$URL" ] | |
then | |
KEY=$($DOWNLOAD "$URL") | |
CURL_EXIT_STATUS=$? | |
if [ $CURL_EXIT_STATUS != 0 ] | |
then | |
cat $CACHE | |
exit $? | |
fi | |
AUTH_KEYS+="$KEY$(echo)" | |
fi | |
done <$KEY_LOC | |
fi | |
if [ ! -z "$AUTH_KEYS" ] | |
then | |
touch $CACHE | |
chown $1:$1 $CACHE | |
chmod 0644 $CACHE | |
printf "$AUTH_KEYS" | tee "$CACHE" | |
fi | |
EOF | |
read -r -d '' SSH_JAIL_CONF <<'EOF' | |
[ssh] | |
enabled = true | |
port = ssh | |
filter = sshd | |
action = iptables[name=SSH, port=ssh, protocol=tcp] | |
logpath = /var/log/auth.log | |
maxretry = 3 | |
bantime = 900 | |
EOF | |
printf_bold () { | |
tput bold | |
# shellcheck disable=SC2059 | |
printf "$@" | |
tput sgr0 | |
} | |
sedi () { | |
sed --version >/dev/null 2>&1 && (sed -i -- "$@" || sed -i "" "$@") | |
} | |
modify_config () { | |
# $1 file path | |
# $2 option | |
# $3 value | |
# $4 allow multiple | |
if ! grep -q "^$2 $3" "$1" | |
then | |
# Config not properly set | |
if [ ! "$4" ] | |
then | |
# Comment out any incorrect config lines | |
sedi "/^$2/ s/^#*/#/" "$SSHD_CONF" | |
fi | |
# Insert new config | |
printf "%s %s\\n" "$2" "$3" >> $SSHD_CONF | |
fi | |
} | |
install_script () { | |
printf_bold "Installing %s to %s...\\n" "$SCRIPT_NAME" "$INSTALL_PATH" | |
touch $INSTALL_PATH || exit 1 | |
chown root $INSTALL_PATH || exit 2 | |
chmod 0755 $INSTALL_PATH || exit 3 | |
printf %s "$KEYS4USER" > $INSTALL_PATH || exit 4 | |
} | |
install_SSH_config () { | |
printf_bold "Installing required config to %s...\\n" "$SSHD_CONF" | |
(grep "AuthorizedKeysCommand" $SSHD_CONF | grep -vq "^[\\#]" || printf "\\n\\nAuthorizedKeysCommand %s\\n" "$INSTALL_PATH" >> $SSHD_CONF) || exit 11 | |
(grep "AuthorizedKeysCommandUser" $SSHD_CONF | grep -vq "^[\\#]" || printf "AuthorizedKeysCommandUser root\\n" >> $SSHD_CONF) || exit 12 | |
} | |
install_SSH_hardening () { | |
printf_bold "Hardening SSH config in %s...\\n" "$SSHD_CONF" | |
modify_config "$SSHD_CONF" Protocol 2 | |
modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_ed25519_key 1 | |
modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_rsa_key 1 | |
modify_config "$SSHD_CONF" KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
modify_config "$SSHD_CONF" Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
modify_config "$SSHD_CONF" MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
} | |
install_fail2ban () { | |
printf_bold "Installing fail2ban...\\n" | |
apt-get update -y || exit $? | |
apt-get install fail2ban -y || exit $? | |
touch $FAIL2BAN_SSH_PATH || exit 31 | |
chown root $FAIL2BAN_SSH_PATH || exit 32 | |
chmod 0755 $FAIL2BAN_SSH_PATH || exit 33 | |
printf "%s\\n" "$SSH_JAIL_CONF" > $FAIL2BAN_SSH_PATH || exit 34 | |
} | |
reload_SSH () { | |
printf_bold "Reloading SSH...\\n" | |
systemctl reload ssh || exit 41 | |
} | |
install () { | |
install_script | |
install_SSH_config | |
if (("$SSH_HARDENING" > "0")) | |
then | |
install_SSH_hardening | |
fi | |
if (("$FAIL2BAN" > "0")) && [ "$(uname)" != 'Darwin' ] | |
then | |
install_fail2ban | |
fi | |
if [ "$(uname)" != 'Darwin' ] | |
then | |
reload_SSH | |
fi | |
} | |
install |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment