njdancer/install

## install
#!/usr/bin/env bash
INSTALL_DIR=/root
FAIL2BAN_SSH_PATH=/etc/fail2ban/jail.d/ssh.local
if [ "$(uname)" == 'Darwin' ]
then
  # /root is not available on Mac OS
  INSTALL_DIR=/usr/local
fi
SCRIPT_NAME=keys4user
INSTALL_PATH=$INSTALL_DIR/$SCRIPT_NAME
SSHD_CONF=/etc/ssh/sshd_config

SSH_HARDENING=1
FAIL2BAN=1

while getopts ":hf" OPTION
do
  case $OPTION in
  h)
    SSH_HARDENING=0
    ;;
  f)
    FAIL2BAN=0
    ;;
  \?)
    echo "Used for the help menu $OPTARG"
    exit 999
    ;;
  esac
done

read -r -d '' KEYS4USER <<'EOF'
#!/usr/bin/env bash
HOME_DIR=$(eval echo "~$1")
SSH_DIR=$HOME_DIR/.ssh
KEY_LOC=$SSH_DIR/key_locations
CACHE=$KEY_LOC.cache
AUTH_KEYS=""

which curl > /dev/null
if (("$?" == "0"))
then
  DOWNLOAD="curl -sfL"
else
  which wget > /dev/null
  if (("$?" == "0"))
  then
    DOWNLOAD="wget -q -O -"
  else
    printf "Neither curl or wget found in path. Exiting.\n"
    exit 9
  fi
fi

if [ -e "$KEY_LOC" ]
then
  while read URL
    do
    if [ ! -z "$URL" ]
    then
      KEY=$($DOWNLOAD "$URL")
      CURL_EXIT_STATUS=$?
      if [ $CURL_EXIT_STATUS != 0 ]
      then
        cat $CACHE
        exit $?
      fi
      AUTH_KEYS+="$KEY$(echo)"
    fi
  done <$KEY_LOC
fi

if [ ! -z "$AUTH_KEYS" ]
then
  touch $CACHE
  chown $1:$1 $CACHE
  chmod 0644 $CACHE
  printf "$AUTH_KEYS" | tee "$CACHE"
fi
EOF

read -r -d '' SSH_JAIL_CONF <<'EOF'
[ssh]

enabled = true
port	= ssh
filter	= sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/auth.log
maxretry = 3
bantime = 900
EOF

printf_bold () {
  tput bold
  # shellcheck disable=SC2059
  printf "$@"
  tput sgr0
}

sedi () {
    sed --version >/dev/null 2>&1 && (sed -i -- "$@" || sed -i "" "$@")
}

modify_config () {
  # $1 file path
  # $2 option
  # $3 value
  # $4 allow multiple
  if ! grep -q "^$2 $3" "$1"
  then
    # Config not properly set
    if [ ! "$4" ]
    then
      # Comment out any incorrect config lines
      sedi "/^$2/ s/^#*/#/" "$SSHD_CONF"
    fi
    # Insert new config
    printf "%s %s\\n" "$2" "$3" >> $SSHD_CONF
  fi
}

install_script () {
  printf_bold "Installing %s to %s...\\n" "$SCRIPT_NAME" "$INSTALL_PATH"

  touch $INSTALL_PATH || exit 1
  chown root $INSTALL_PATH || exit 2
  chmod 0755 $INSTALL_PATH || exit 3
  printf %s "$KEYS4USER" > $INSTALL_PATH || exit 4
}

install_SSH_config () {
  printf_bold "Installing required config to %s...\\n" "$SSHD_CONF"

  (grep "AuthorizedKeysCommand" $SSHD_CONF | grep -vq "^[\\#]" || printf "\\n\\nAuthorizedKeysCommand %s\\n" "$INSTALL_PATH" >> $SSHD_CONF) || exit 11
  (grep "AuthorizedKeysCommandUser" $SSHD_CONF | grep -vq "^[\\#]" || printf "AuthorizedKeysCommandUser root\\n" >> $SSHD_CONF) || exit 12
}

install_SSH_hardening () {
  printf_bold "Hardening SSH config in %s...\\n" "$SSHD_CONF"

  modify_config "$SSHD_CONF" Protocol 2
  modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_ed25519_key 1
  modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_rsa_key 1
  modify_config "$SSHD_CONF" KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  modify_config "$SSHD_CONF" Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  modify_config "$SSHD_CONF" MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
}

install_fail2ban () {
  printf_bold "Installing fail2ban...\\n"

  apt-get update -y || exit $?
  apt-get install fail2ban -y || exit $?

  touch $FAIL2BAN_SSH_PATH || exit 31
  chown root $FAIL2BAN_SSH_PATH || exit 32
  chmod 0755 $FAIL2BAN_SSH_PATH || exit 33
  printf "%s\\n" "$SSH_JAIL_CONF" > $FAIL2BAN_SSH_PATH || exit 34
}

reload_SSH () {
  printf_bold "Reloading SSH...\\n"

  systemctl reload ssh || exit 41
}

install () {
  install_script
  install_SSH_config
  if (("$SSH_HARDENING" > "0"))
  then
    install_SSH_hardening
  fi
  if (("$FAIL2BAN" > "0")) && [ "$(uname)" != 'Darwin' ]
  then
    install_fail2ban
  fi

  if [ "$(uname)" != 'Darwin' ]
  then
    reload_SSH
  fi
}


install
	#!/usr/bin/env bash
	INSTALL_DIR=/root
	FAIL2BAN_SSH_PATH=/etc/fail2ban/jail.d/ssh.local
	if [ "$(uname)" == 'Darwin' ]
	then
	# /root is not available on Mac OS
	INSTALL_DIR=/usr/local
	fi
	SCRIPT_NAME=keys4user
	INSTALL_PATH=$INSTALL_DIR/$SCRIPT_NAME
	SSHD_CONF=/etc/ssh/sshd_config

	SSH_HARDENING=1
	FAIL2BAN=1

	while getopts ":hf" OPTION
	do
	case $OPTION in
	h)
	SSH_HARDENING=0
	;;
	f)
	FAIL2BAN=0
	;;
	\?)
	echo "Used for the help menu $OPTARG"
	exit 999
	;;
	esac
	done

	read -r -d '' KEYS4USER <<'EOF'
	#!/usr/bin/env bash
	HOME_DIR=$(eval echo "~$1")
	SSH_DIR=$HOME_DIR/.ssh
	KEY_LOC=$SSH_DIR/key_locations
	CACHE=$KEY_LOC.cache
	AUTH_KEYS=""

	which curl > /dev/null
	if (("$?" == "0"))
	then
	DOWNLOAD="curl -sfL"
	else
	which wget > /dev/null
	if (("$?" == "0"))
	then
	DOWNLOAD="wget -q -O -"
	else
	printf "Neither curl or wget found in path. Exiting.\n"
	exit 9
	fi
	fi

	if [ -e "$KEY_LOC" ]
	then
	while read URL
	do
	if [ ! -z "$URL" ]
	then
	KEY=$($DOWNLOAD "$URL")
	CURL_EXIT_STATUS=$?
	if [ $CURL_EXIT_STATUS != 0 ]
	then
	cat $CACHE
	exit $?
	fi
	AUTH_KEYS+="$KEY$(echo)"
	fi
	done <$KEY_LOC
	fi

	if [ ! -z "$AUTH_KEYS" ]
	then
	touch $CACHE
	chown $1:$1 $CACHE
	chmod 0644 $CACHE
	printf "$AUTH_KEYS" \| tee "$CACHE"
	fi
	EOF

	read -r -d '' SSH_JAIL_CONF <<'EOF'
	[ssh]

	enabled = true
	port = ssh
	filter = sshd
	action = iptables[name=SSH, port=ssh, protocol=tcp]
	logpath = /var/log/auth.log
	maxretry = 3
	bantime = 900
	EOF

	printf_bold () {
	tput bold
	# shellcheck disable=SC2059
	printf "$@"
	tput sgr0
	}

	sedi () {
	sed --version >/dev/null 2>&1 && (sed -i -- "$@" \|\| sed -i "" "$@")
	}

	modify_config () {
	# $1 file path
	# $2 option
	# $3 value
	# $4 allow multiple
	if ! grep -q "^$2 $3" "$1"
	then
	# Config not properly set
	if [ ! "$4" ]
	then
	# Comment out any incorrect config lines
	sedi "/^$2/ s/^#*/#/" "$SSHD_CONF"
	fi
	# Insert new config
	printf "%s %s\\n" "$2" "$3" >> $SSHD_CONF
	fi
	}

	install_script () {
	printf_bold "Installing %s to %s...\\n" "$SCRIPT_NAME" "$INSTALL_PATH"

	touch $INSTALL_PATH \|\| exit 1
	chown root $INSTALL_PATH \|\| exit 2
	chmod 0755 $INSTALL_PATH \|\| exit 3
	printf %s "$KEYS4USER" > $INSTALL_PATH \|\| exit 4
	}

	install_SSH_config () {
	printf_bold "Installing required config to %s...\\n" "$SSHD_CONF"

	(grep "AuthorizedKeysCommand" $SSHD_CONF \| grep -vq "^[\\#]" \|\| printf "\\n\\nAuthorizedKeysCommand %s\\n" "$INSTALL_PATH" >> $SSHD_CONF) \|\| exit 11
	(grep "AuthorizedKeysCommandUser" $SSHD_CONF \| grep -vq "^[\\#]" \|\| printf "AuthorizedKeysCommandUser root\\n" >> $SSHD_CONF) \|\| exit 12
	}

	install_SSH_hardening () {
	printf_bold "Hardening SSH config in %s...\\n" "$SSHD_CONF"

	modify_config "$SSHD_CONF" Protocol 2
	modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_ed25519_key 1
	modify_config "$SSHD_CONF" HostKey /etc/ssh/ssh_host_rsa_key 1
	modify_config "$SSHD_CONF" KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
	modify_config "$SSHD_CONF" Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
	modify_config "$SSHD_CONF" MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
	}

	install_fail2ban () {
	printf_bold "Installing fail2ban...\\n"

	apt-get update -y \|\| exit $?
	apt-get install fail2ban -y \|\| exit $?

	touch $FAIL2BAN_SSH_PATH \|\| exit 31
	chown root $FAIL2BAN_SSH_PATH \|\| exit 32
	chmod 0755 $FAIL2BAN_SSH_PATH \|\| exit 33
	printf "%s\\n" "$SSH_JAIL_CONF" > $FAIL2BAN_SSH_PATH \|\| exit 34
	}

	reload_SSH () {
	printf_bold "Reloading SSH...\\n"

	systemctl reload ssh \|\| exit 41
	}

	install () {
	install_script
	install_SSH_config
	if (("$SSH_HARDENING" > "0"))
	then
	install_SSH_hardening
	fi
	if (("$FAIL2BAN" > "0")) && [ "$(uname)" != 'Darwin' ]
	then
	install_fail2ban
	fi

	if [ "$(uname)" != 'Darwin' ]
	then
	reload_SSH
	fi
	}


	install