zulumann/HomeLAB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e47962aeaa349e16275b03d451a2d6bd36fff1a0
HomeLAB/LXC-Debian/LXC_Debian_secure_SSH-Server.sh
zulumann e47962aeaa 2025.04.11-11:50
2025-04-11 11:47:25 +02:00

153 lines
7.3 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Check if user is root
#
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use the root user to install the software."
exit 1
fi
if [ ! -f /etc/debian_version ]; then
echo "Unsupported Linux Distribution. Prepared for Debian"
exit 1
fi
#
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
mv /etc/ssh/{sshd_config,sshd_config.orig}
# SSH-Key erstellen
ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
cat > /etc/ssh/sshd_config <<"EOF"
#-----------------------------------------------------------
# General - /etc/ssh/sshd_config
#-----------------------------------------------------------
Port 22 # Custom SSH Port
Protocol 2 # The one and only Protocol
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
#-----------------------------------------------------------
# HostKey - Only the curvy one
#-----------------------------------------------------------
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
#-----------------------------------------------------------
# Ciphers - Only the ultramodern ones
#-----------------------------------------------------------
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
#-----------------------------------------------------------
# Logging
#-----------------------------------------------------------
LogLevel INFO # VERBOSE for more like key fingerprint logging
SyslogFacility AUTHPRIV # Logging Authentication Commands
#-----------------------------------------------------------
# Authentication:
#-----------------------------------------------------------
MaxSessions 2 # Maximum allowed User Sessions
MaxAuthTries 3 # Maximum allowed Auth Attempts
StrictModes yes # Prevents Configuration Errors
LoginGraceTime 60 # Login Period Time to authenticate
PermitRootLogin yes # Disable direct root Login
PubkeyAuthentication yes # Allow Pub-Key Authentication
PasswordAuthentication no # Allow Password Authentication. Disable if no need
IgnoreRhosts yes # Disable User Rhost Files
PermitEmptyPasswords no # Disable Empty Passwords
HostbasedAuthentication no # Disable Host-based Authentication
ChallengeResponseAuthentication no
TCPKeepAlive yes # Prevent from dropping the Connection
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
#-----------------------------------------------------------
# Security
#-----------------------------------------------------------
UsePAM yes # Allow PAM Authentication
Compression no # Disable Compression for better Security
AllowUsers manager root # Allow special Users.
# AllowGroups sshuser # Allow special Group.
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
Banner none # Disable Banner
DebianBanner no # Disable Banner for Debian-based Systems
VersionAddendum none # Disable SSH Protocol Banner
PrintMotd no # Disable Message of the Day
PrintLastLog yes # Enable Date and Time of the last user login
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
PermitUserRC no # Disable User RC Files
PermitUserEnvironment no # Disable User Environment Files
# Disable Forwarding
GatewayPorts no # Disable Remote Port Forwarding
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
# Disable Kerberos Authentication # Disable Kerberos Authentication
KerberosOrLocalPasswd no
KerberosAuthentication no
KerberosTicketCleanup yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
#-----------------------------------------------------------
# Misc
#-----------------------------------------------------------
UseDNS no # Disables DSN-Lookup for the Love of Speed
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
#-----------------------------------------------------------
# SFTP
#-----------------------------------------------------------
# SFTP - Enable if need
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Set special stuff to special SFTP-Users - Enable if you use SFTP
# Match Group sftp-pimps
# ChrootDirectory /home/%u
# PermitTunnel no
# X11Forwarding no
# AllowTcpForwarding no
# AllowAgentForwarding no
# ForceCommand internal-sftp
#-----------------------------------------------------------
# Set special SSH-User/Group options
#-----------------------------------------------------------
# Match User manager
# PasswordAuthentication yes
# AllowTcpForwarding yes
# Match Group sshuser
# PasswordAuthentication yes
# AllowTcpForwarding yes
#-----------------------------------------------------------
# Documentation
#-----------------------------------------------------------
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
EOF
apt autoremove && apt autoclean && apt clean
Reference in New Issue View Git Blame Copy Permalink