diff --git a/LinuxMint22_SSH-Server.sh b/LinuxMint22_SSH-Server.sh new file mode 100644 index 0000000..2e0fa74 --- /dev/null +++ b/LinuxMint22_SSH-Server.sh @@ -0,0 +1,160 @@ +#!/bin/sh +# +if [ ! -f /etc/debian_version ]; then + echo "Unsupported Linux Distribution. Prepared for Debian" + exit 1 +fi +################################################################################ +# +# +# Install OpenSSH-Server @Linux Mint +# +# +################################################################################ +# +sudo groupadd sshuser +sudo usermod -a -G sshuser $USER + +# Sicherheitskopie der SSH-Serverkonfiguration erstellen +sudo mv /etc/ssh/{sshd_config,sshd_config.default} + +# SSH-Key erstellen +sudo ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)" + +sudo bash -c 'cat << EOF > /etc/ssh/sshd_config +#----------------------------------------------------------- +# General - /etc/ssh/sshd_config +#----------------------------------------------------------- +Port 22 # Custom SSH Port +Protocol 2 # The one and only Protocol + +AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4 + +#----------------------------------------------------------- +# HostKey - Only the curvy one +#----------------------------------------------------------- +HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication + +#----------------------------------------------------------- +# Ciphers - Only the ultramodern ones +#----------------------------------------------------------- +KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client + +#----------------------------------------------------------- +# Logging +#----------------------------------------------------------- +LogLevel INFO # VERBOSE for more like key fingerprint logging +SyslogFacility AUTHPRIV # Logging Authentication Commands + +#----------------------------------------------------------- +# Authentication: +#----------------------------------------------------------- +MaxSessions 2 # Maximum allowed User Sessions +MaxAuthTries 3 # Maximum allowed Auth Attempts + +StrictModes yes # Prevents Configuration Errors +LoginGraceTime 60 # Login Period Time to authenticate +PermitRootLogin no # Disable direct root Login + +PubkeyAuthentication yes # Allow Pub-Key Authentication +PasswordAuthentication yes # Allow Password Authentication. Disable if no need + +IgnoreRhosts yes # Disable User Rhost Files +PermitEmptyPasswords no # Disable Empty Passwords +HostbasedAuthentication no # Disable Host-based Authentication +ChallengeResponseAuthentication no + +TCPKeepAlive yes # Prevent from dropping the Connection +ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop +ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity + +#----------------------------------------------------------- +# Security +#----------------------------------------------------------- +UsePAM yes # Allow PAM Authentication +Compression no # Disable Compression for better Security + +# AllowUsers root # Allow special Users. +AllowGroups sshuser # Allow special Group. + +# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key + +Banner none # Disable Banner +DebianBanner no # Disable Banner for Debian-based Systems +VersionAddendum none # Disable SSH Protocol Banner + +PrintMotd no # Disable Message of the Day +PrintLastLog yes # Enable Date and Time of the last user login + +PermitTunnel no # Disable tun Device forwarding. Only SSH Connections! +PermitUserRC no # Disable User RC Files +PermitUserEnvironment no # Disable User Environment Files + +# Disable Forwarding +GatewayPorts no # Disable Remote Port Forwarding +X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI) +AllowTcpForwarding no # Disable TCP Forwarding/Tunneling +AllowAgentForwarding no # Disable Agent Forwarding/Tunneling + +# Disable Kerberos Authentication # Disable Kerberos Authentication +KerberosOrLocalPasswd no +KerberosAuthentication no +KerberosTicketCleanup yes +GSSAPIAuthentication no +GSSAPICleanupCredentials yes + +AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner + +#----------------------------------------------------------- +# Misc +#----------------------------------------------------------- +UseDNS no # Disables DSN-Lookup for the Love of Speed +AcceptEnv LANG LC_* # Allow locale environment variables for Clients + +#----------------------------------------------------------- +# SFTP +#----------------------------------------------------------- +# SFTP - Enable if need +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Set special stuff to special SFTP-Users - Enable if you use SFTP +# Match Group sftp-pimps +# ChrootDirectory /home/%u +# PermitTunnel no +# X11Forwarding no +# AllowTcpForwarding no +# AllowAgentForwarding no +# ForceCommand internal-sftp + +#----------------------------------------------------------- +# Set special SSH-User/Group options +#----------------------------------------------------------- + +# Match User manager +# PasswordAuthentication yes +# AllowTcpForwarding yes + + Match Group sshuser + PasswordAuthentication yes + AllowTcpForwarding yes + +#----------------------------------------------------------- +# Documentation +#----------------------------------------------------------- +# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html +# https://man7.org/linux/man-pages/man5/sshd_config.5.html +EOF' + +sudo sh -c 'echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny' +sudo sh -c 'echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow' + +sudo systemctl restart sshd + +# sudo ufw allow ssh # Openssh-Server +sudo ufw limit ssh comment 'Rate limit for openssh server' +sudo ufw reload + +sudo apt autoremove && sudo apt autoclean && sudo apt clean diff --git a/LinuxMint22_Software.sh b/LinuxMint22_Software.sh index 1650a9d..3365975 100644 --- a/LinuxMint22_Software.sh +++ b/LinuxMint22_Software.sh @@ -8,14 +8,9 @@ fi ################################################################################ # # -# post-installation script for Linux +# Install Software @Linux Mint # # -# -################################################################################ -# -# root pass: master_user@vm-net#01 -# ################################################################################ while : do diff --git a/LinuxMint22_System.sh b/LinuxMint22_System.sh index c4269f9..02b9626 100644 --- a/LinuxMint22_System.sh +++ b/LinuxMint22_System.sh @@ -7,7 +7,7 @@ fi ################################################################################ # # -# Linux Mint 21 System Install +# Linux Mint 22 System Install # # ################################################################################ @@ -1005,4 +1005,4 @@ exit 1;; *) echo " Press [enter] key to continue. . ."; read enterKey;; esac -done \ No newline at end of file +done