zulumann/LinuxMint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

2025.04.11-11:50

Browse Source
This commit is contained in:
zulumann
2025-04-11 11:47:37 +02:00
parent 3341dd10fc
commit 5d6f1c3cd1
3 changed files with 163 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
LinuxMint22_SSH-Server.sh Normal file
View File

@ -0,0 +1,160 @@
#!/bin/sh
#
if [ ! -f /etc/debian_version ]; then
echo "Unsupported Linux Distribution. Prepared for Debian"
exit 1
fi
################################################################################
#
#
# Install OpenSSH-Server @Linux Mint
#
#
################################################################################
#
sudo groupadd sshuser
sudo usermod -a -G sshuser $USER
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
sudo mv /etc/ssh/{sshd_config,sshd_config.default}
# SSH-Key erstellen
sudo ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
sudo bash -c 'cat << EOF > /etc/ssh/sshd_config
#-----------------------------------------------------------
# General - /etc/ssh/sshd_config
#-----------------------------------------------------------
Port 22 # Custom SSH Port
Protocol 2 # The one and only Protocol
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
#-----------------------------------------------------------
# HostKey - Only the curvy one
#-----------------------------------------------------------
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
#-----------------------------------------------------------
# Ciphers - Only the ultramodern ones
#-----------------------------------------------------------
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
#-----------------------------------------------------------
# Logging
#-----------------------------------------------------------
LogLevel INFO # VERBOSE for more like key fingerprint logging
SyslogFacility AUTHPRIV # Logging Authentication Commands
#-----------------------------------------------------------
# Authentication:
#-----------------------------------------------------------
MaxSessions 2 # Maximum allowed User Sessions
MaxAuthTries 3 # Maximum allowed Auth Attempts
StrictModes yes # Prevents Configuration Errors
LoginGraceTime 60 # Login Period Time to authenticate
PermitRootLogin no # Disable direct root Login
PubkeyAuthentication yes # Allow Pub-Key Authentication
PasswordAuthentication yes # Allow Password Authentication. Disable if no need
IgnoreRhosts yes # Disable User Rhost Files
PermitEmptyPasswords no # Disable Empty Passwords
HostbasedAuthentication no # Disable Host-based Authentication
ChallengeResponseAuthentication no
TCPKeepAlive yes # Prevent from dropping the Connection
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
#-----------------------------------------------------------
# Security
#-----------------------------------------------------------
UsePAM yes # Allow PAM Authentication
Compression no # Disable Compression for better Security
# AllowUsers root # Allow special Users.
AllowGroups sshuser # Allow special Group.
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
Banner none # Disable Banner
DebianBanner no # Disable Banner for Debian-based Systems
VersionAddendum none # Disable SSH Protocol Banner
PrintMotd no # Disable Message of the Day
PrintLastLog yes # Enable Date and Time of the last user login
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
PermitUserRC no # Disable User RC Files
PermitUserEnvironment no # Disable User Environment Files
# Disable Forwarding
GatewayPorts no # Disable Remote Port Forwarding
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
# Disable Kerberos Authentication # Disable Kerberos Authentication
KerberosOrLocalPasswd no
KerberosAuthentication no
KerberosTicketCleanup yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
#-----------------------------------------------------------
# Misc
#-----------------------------------------------------------
UseDNS no # Disables DSN-Lookup for the Love of Speed
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
#-----------------------------------------------------------
# SFTP
#-----------------------------------------------------------
# SFTP - Enable if need
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
# Set special stuff to special SFTP-Users - Enable if you use SFTP
# Match Group sftp-pimps
# ChrootDirectory /home/%u
# PermitTunnel no
# X11Forwarding no
# AllowTcpForwarding no
# AllowAgentForwarding no
# ForceCommand internal-sftp
#-----------------------------------------------------------
# Set special SSH-User/Group options
#-----------------------------------------------------------
# Match User manager
# PasswordAuthentication yes
# AllowTcpForwarding yes
Match Group sshuser
PasswordAuthentication yes
AllowTcpForwarding yes
#-----------------------------------------------------------
# Documentation
#-----------------------------------------------------------
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
EOF'
sudo sh -c 'echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny'
sudo sh -c 'echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow'
sudo systemctl restart sshd
# sudo ufw allow ssh # Openssh-Server
sudo ufw limit ssh comment 'Rate limit for openssh server'
sudo ufw reload
sudo apt autoremove && sudo apt autoclean && sudo apt clean

7
LinuxMint22_Software.sh
View File

@ -8,14 +8,9 @@ fi
################################################################################ ################################################################################
# #
# #
# post-installation script for Linux # Install Software @Linux Mint
# #
# #
#
################################################################################
#
# root pass: master_user@vm-net#01
#
################################################################################ ################################################################################
while : while :
do do

2
LinuxMint22_System.sh
View File

@ -7,7 +7,7 @@ fi
################################################################################ ################################################################################
# #
# #
# Linux Mint 21 System Install # Linux Mint 22 System Install
# #
# #
################################################################################ ################################################################################