2025.04.11-11:50
This commit is contained in:
152
LXC-Debian/LXC_Debian_secure_SSH-Server.sh
Normal file
152
LXC-Debian/LXC_Debian_secure_SSH-Server.sh
Normal file
@ -0,0 +1,152 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Check if user is root
|
||||
#
|
||||
if [ $(id -u) != "0" ]; then
|
||||
echo "Error: You must be root to run this script, please use the root user to install the software."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/debian_version ]; then
|
||||
echo "Unsupported Linux Distribution. Prepared for Debian"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
|
||||
|
||||
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
|
||||
mv /etc/ssh/{sshd_config,sshd_config.orig}
|
||||
|
||||
|
||||
# SSH-Key erstellen
|
||||
ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
|
||||
|
||||
cat > /etc/ssh/sshd_config <<"EOF"
|
||||
#-----------------------------------------------------------
|
||||
# General - /etc/ssh/sshd_config
|
||||
#-----------------------------------------------------------
|
||||
Port 22 # Custom SSH Port
|
||||
Protocol 2 # The one and only Protocol
|
||||
|
||||
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# HostKey - Only the curvy one
|
||||
#-----------------------------------------------------------
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Ciphers - Only the ultramodern ones
|
||||
#-----------------------------------------------------------
|
||||
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
|
||||
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Logging
|
||||
#-----------------------------------------------------------
|
||||
LogLevel INFO # VERBOSE for more like key fingerprint logging
|
||||
SyslogFacility AUTHPRIV # Logging Authentication Commands
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Authentication:
|
||||
#-----------------------------------------------------------
|
||||
MaxSessions 2 # Maximum allowed User Sessions
|
||||
MaxAuthTries 3 # Maximum allowed Auth Attempts
|
||||
|
||||
StrictModes yes # Prevents Configuration Errors
|
||||
LoginGraceTime 60 # Login Period Time to authenticate
|
||||
PermitRootLogin yes # Disable direct root Login
|
||||
|
||||
PubkeyAuthentication yes # Allow Pub-Key Authentication
|
||||
PasswordAuthentication no # Allow Password Authentication. Disable if no need
|
||||
|
||||
IgnoreRhosts yes # Disable User Rhost Files
|
||||
PermitEmptyPasswords no # Disable Empty Passwords
|
||||
HostbasedAuthentication no # Disable Host-based Authentication
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
TCPKeepAlive yes # Prevent from dropping the Connection
|
||||
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
|
||||
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Security
|
||||
#-----------------------------------------------------------
|
||||
UsePAM yes # Allow PAM Authentication
|
||||
Compression no # Disable Compression for better Security
|
||||
|
||||
AllowUsers manager root # Allow special Users.
|
||||
# AllowGroups sshuser # Allow special Group.
|
||||
|
||||
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
|
||||
|
||||
Banner none # Disable Banner
|
||||
DebianBanner no # Disable Banner for Debian-based Systems
|
||||
VersionAddendum none # Disable SSH Protocol Banner
|
||||
|
||||
PrintMotd no # Disable Message of the Day
|
||||
PrintLastLog yes # Enable Date and Time of the last user login
|
||||
|
||||
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
|
||||
PermitUserRC no # Disable User RC Files
|
||||
PermitUserEnvironment no # Disable User Environment Files
|
||||
|
||||
# Disable Forwarding
|
||||
GatewayPorts no # Disable Remote Port Forwarding
|
||||
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
|
||||
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
|
||||
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
|
||||
|
||||
# Disable Kerberos Authentication # Disable Kerberos Authentication
|
||||
KerberosOrLocalPasswd no
|
||||
KerberosAuthentication no
|
||||
KerberosTicketCleanup yes
|
||||
GSSAPIAuthentication no
|
||||
GSSAPICleanupCredentials yes
|
||||
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Misc
|
||||
#-----------------------------------------------------------
|
||||
UseDNS no # Disables DSN-Lookup for the Love of Speed
|
||||
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# SFTP
|
||||
#-----------------------------------------------------------
|
||||
# SFTP - Enable if need
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
|
||||
# Set special stuff to special SFTP-Users - Enable if you use SFTP
|
||||
# Match Group sftp-pimps
|
||||
# ChrootDirectory /home/%u
|
||||
# PermitTunnel no
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# AllowAgentForwarding no
|
||||
# ForceCommand internal-sftp
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Set special SSH-User/Group options
|
||||
#-----------------------------------------------------------
|
||||
|
||||
# Match User manager
|
||||
# PasswordAuthentication yes
|
||||
# AllowTcpForwarding yes
|
||||
|
||||
# Match Group sshuser
|
||||
# PasswordAuthentication yes
|
||||
# AllowTcpForwarding yes
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Documentation
|
||||
#-----------------------------------------------------------
|
||||
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
|
||||
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
|
||||
EOF
|
||||
|
||||
apt autoremove && apt autoclean && apt clean
|
||||
@ -27,11 +27,6 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user@apt-cacher#01
|
||||
# admin pass: admin_user@apt-cacer#01
|
||||
#
|
||||
################################################################################
|
||||
|
||||
apt install -y \
|
||||
avahi-daemon \
|
||||
apt-cacher-ng \
|
||||
|
||||
@ -25,10 +25,6 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user@apt-cacher#01
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# echo 'mp0: /storage01/fileserver,mp=/mnt/storage01' >> /etc/pve/nodes/pve01/lxc/119.conf
|
||||
# echo 'mp1: /storage02/fileserver,mp=/mnt/storage02' >> /etc/pve/nodes/pve01/lxc/119.conf
|
||||
#
|
||||
|
||||
@ -28,12 +28,6 @@ fi
|
||||
# Node: PVE01
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user#01@vmnets.de
|
||||
#
|
||||
# Admin pass: admin_user#01@vmnets.de
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# systemctl [start | stop | reload | restart | status] nginx
|
||||
#
|
||||
|
||||
@ -26,10 +26,6 @@ fi
|
||||
# Node: PVE01
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user@vm-net#01
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# systemctl [start | stop | reload | restart | status] gitea.service
|
||||
#
|
||||
|
||||
@ -29,11 +29,8 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user#01@vm-net
|
||||
#
|
||||
# Admin pass: master_user@jellyfin#01
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# systemctl [start | stop | reload | restart | status] jellyfin
|
||||
|
||||
@ -25,10 +25,6 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
|
||||
apt install -y mariadb-server
|
||||
|
||||
systemctl stop mysql
|
||||
@ -102,8 +98,7 @@ systemctl restart mysql.service
|
||||
|
||||
echo -e '\033[33m------Secure MariaDB installation-----\033[33m'
|
||||
echo -e "\033[0m"
|
||||
# master_user@mariaDB#01
|
||||
|
||||
mysql_secure_installation
|
||||
|
||||
apt autoremove && apt autoclean && apt clean
|
||||
apt autoremove && apt autoclean && apt clean
|
||||
|
||||
@ -34,8 +34,6 @@ fi
|
||||
# qbittorrent Username is admin. Default password is “adminadmin”
|
||||
# Config: /home/qbittorrent-nox/.config/qBittorrent/qBittorrent.conf
|
||||
#
|
||||
# root pass: master_user#01@vmnets.de
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
@ -63,7 +61,7 @@ echo "03.Install Jackett"
|
||||
echo ""
|
||||
echo " x. Exit"
|
||||
echo ""
|
||||
echo -n " Please enter option [01 - 04]"
|
||||
echo -n " Please enter option [01 - 03]"
|
||||
read opt
|
||||
case $opt in
|
||||
##################################################################################
|
||||
|
||||
@ -29,10 +29,6 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# echo 'mp0: /storage01/fileserver/syncthing,mp=/srv/syncthing' >> /etc/pve/nodes/pve01/lxc/105.conf
|
||||
#
|
||||
################################################################################
|
||||
@ -103,4 +99,4 @@ cp /home/syncthing/.config/syncthing/config.xml /home/syncthing/.config/syncthin
|
||||
systemctl start syncthing@syncthing.service
|
||||
|
||||
|
||||
apt autoremove && apt autoclean && apt clean
|
||||
apt autoremove && apt autoclean && apt clean
|
||||
|
||||
@ -25,10 +25,6 @@ fi
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user#01@vmnets.de
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# echo 'mp0: /srv/fileserver_data/downloads/jdownloader,mp=/opt/jdownloader/Downloads' >> /etc/pve/nodes/pve01/lxc/116.conf
|
||||
#
|
||||
################################################################################
|
||||
|
||||
Reference in New Issue
Block a user