2025.04.11-11:50
This commit is contained in:
160
LinuxMint22_SSH-Server.sh
Normal file
160
LinuxMint22_SSH-Server.sh
Normal file
@ -0,0 +1,160 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
if [ ! -f /etc/debian_version ]; then
|
||||
echo "Unsupported Linux Distribution. Prepared for Debian"
|
||||
exit 1
|
||||
fi
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
# Install OpenSSH-Server @Linux Mint
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
sudo groupadd sshuser
|
||||
sudo usermod -a -G sshuser $USER
|
||||
|
||||
# Sicherheitskopie der SSH-Serverkonfiguration erstellen
|
||||
sudo mv /etc/ssh/{sshd_config,sshd_config.default}
|
||||
|
||||
# SSH-Key erstellen
|
||||
sudo ssh-keygen -o -a 100 -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key -C "$(whoami)@$(hostname)-$(date -I)"
|
||||
|
||||
sudo bash -c 'cat << EOF > /etc/ssh/sshd_config
|
||||
#-----------------------------------------------------------
|
||||
# General - /etc/ssh/sshd_config
|
||||
#-----------------------------------------------------------
|
||||
Port 22 # Custom SSH Port
|
||||
Protocol 2 # The one and only Protocol
|
||||
|
||||
AddressFamily any # IPv4 and IPv6 Net. Use inet for only IPv4
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# HostKey - Only the curvy one
|
||||
#-----------------------------------------------------------
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key # Allow only the vely vely secure ECDSA Pub-Key Authentication
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Ciphers - Only the ultramodern ones
|
||||
#-----------------------------------------------------------
|
||||
KexAlgorithms curve25519-sha256@libssh.org # Key exchange methods to generate per-connection keys
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 # Message authentication codes used to detect traffic modification
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Allow only sexy Encrypt-Ciphers. For Android-Connection add aes256-ctr
|
||||
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Accepted Pub-Key algorithms for the SSH-Server to authenticate to a SSH-Client
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Logging
|
||||
#-----------------------------------------------------------
|
||||
LogLevel INFO # VERBOSE for more like key fingerprint logging
|
||||
SyslogFacility AUTHPRIV # Logging Authentication Commands
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Authentication:
|
||||
#-----------------------------------------------------------
|
||||
MaxSessions 2 # Maximum allowed User Sessions
|
||||
MaxAuthTries 3 # Maximum allowed Auth Attempts
|
||||
|
||||
StrictModes yes # Prevents Configuration Errors
|
||||
LoginGraceTime 60 # Login Period Time to authenticate
|
||||
PermitRootLogin no # Disable direct root Login
|
||||
|
||||
PubkeyAuthentication yes # Allow Pub-Key Authentication
|
||||
PasswordAuthentication yes # Allow Password Authentication. Disable if no need
|
||||
|
||||
IgnoreRhosts yes # Disable User Rhost Files
|
||||
PermitEmptyPasswords no # Disable Empty Passwords
|
||||
HostbasedAuthentication no # Disable Host-based Authentication
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
TCPKeepAlive yes # Prevent from dropping the Connection
|
||||
ClientAliveCountMax 2 # Sends 2 times ClientAlive Message till drop
|
||||
ClientAliveInterval 1800 # Kills Connection after 30 Min inactivity
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Security
|
||||
#-----------------------------------------------------------
|
||||
UsePAM yes # Allow PAM Authentication
|
||||
Compression no # Disable Compression for better Security
|
||||
|
||||
# AllowUsers root # Allow special Users.
|
||||
AllowGroups sshuser # Allow special Group.
|
||||
|
||||
# RekeyLimit 1G 1H # Limiting amount of data transmitted with a single session key
|
||||
|
||||
Banner none # Disable Banner
|
||||
DebianBanner no # Disable Banner for Debian-based Systems
|
||||
VersionAddendum none # Disable SSH Protocol Banner
|
||||
|
||||
PrintMotd no # Disable Message of the Day
|
||||
PrintLastLog yes # Enable Date and Time of the last user login
|
||||
|
||||
PermitTunnel no # Disable tun Device forwarding. Only SSH Connections!
|
||||
PermitUserRC no # Disable User RC Files
|
||||
PermitUserEnvironment no # Disable User Environment Files
|
||||
|
||||
# Disable Forwarding
|
||||
GatewayPorts no # Disable Remote Port Forwarding
|
||||
X11Forwarding no # Disable X11 Forwarding/Tunneling (GUI)
|
||||
AllowTcpForwarding no # Disable TCP Forwarding/Tunneling
|
||||
AllowAgentForwarding no # Disable Agent Forwarding/Tunneling
|
||||
|
||||
# Disable Kerberos Authentication # Disable Kerberos Authentication
|
||||
KerberosOrLocalPasswd no
|
||||
KerberosAuthentication no
|
||||
KerberosTicketCleanup yes
|
||||
GSSAPIAuthentication no
|
||||
GSSAPICleanupCredentials yes
|
||||
|
||||
AuthorizedKeysFile %h/.ssh/authorized_keys # Set AuthorizedKeysFile in a controlled manner
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Misc
|
||||
#-----------------------------------------------------------
|
||||
UseDNS no # Disables DSN-Lookup for the Love of Speed
|
||||
AcceptEnv LANG LC_* # Allow locale environment variables for Clients
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# SFTP
|
||||
#-----------------------------------------------------------
|
||||
# SFTP - Enable if need
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
|
||||
|
||||
# Set special stuff to special SFTP-Users - Enable if you use SFTP
|
||||
# Match Group sftp-pimps
|
||||
# ChrootDirectory /home/%u
|
||||
# PermitTunnel no
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# AllowAgentForwarding no
|
||||
# ForceCommand internal-sftp
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Set special SSH-User/Group options
|
||||
#-----------------------------------------------------------
|
||||
|
||||
# Match User manager
|
||||
# PasswordAuthentication yes
|
||||
# AllowTcpForwarding yes
|
||||
|
||||
Match Group sshuser
|
||||
PasswordAuthentication yes
|
||||
AllowTcpForwarding yes
|
||||
|
||||
#-----------------------------------------------------------
|
||||
# Documentation
|
||||
#-----------------------------------------------------------
|
||||
# https://man7.org/linux/man-pages/man1/ssh-keygen.1.html
|
||||
# https://man7.org/linux/man-pages/man5/sshd_config.5.html
|
||||
EOF'
|
||||
|
||||
sudo sh -c 'echo "sshd: ALL EXCEPT LOCAL" >> /etc/hosts.deny'
|
||||
sudo sh -c 'echo "sshd: 192.168.10.0/255.255.255.0" >> /etc/hosts.allow'
|
||||
|
||||
sudo systemctl restart sshd
|
||||
|
||||
# sudo ufw allow ssh # Openssh-Server
|
||||
sudo ufw limit ssh comment 'Rate limit for openssh server'
|
||||
sudo ufw reload
|
||||
|
||||
sudo apt autoremove && sudo apt autoclean && sudo apt clean
|
@ -8,14 +8,9 @@ fi
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
# post-installation script for Linux
|
||||
# Install Software @Linux Mint
|
||||
#
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
#
|
||||
# root pass: master_user@vm-net#01
|
||||
#
|
||||
################################################################################
|
||||
while :
|
||||
do
|
||||
|
@ -7,7 +7,7 @@ fi
|
||||
################################################################################
|
||||
#
|
||||
#
|
||||
# Linux Mint 21 System Install
|
||||
# Linux Mint 22 System Install
|
||||
#
|
||||
#
|
||||
################################################################################
|
||||
|
Reference in New Issue
Block a user