-
-
Save NicolasRitouet/d0faa172e0244c1f9f8e5a4b29d6e339 to your computer and use it in GitHub Desktop.
Revisions
-
NicolasRitouet revised this gist
Oct 13, 2021 . 4 changed files with 6 additions and 22 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ <kbd> 📝️ This document is part of several gists related to installing things on OVH VPS:<br/> • <a href="https://gist.github.com/Potherca/6afcbae99bd43720571d3abb322f8465/">All steps to a clean OVH VPS install</a><br/> • <a href="https://gist.github.com/NicolasRitouet/d0faa172e0244c1f9f8e5a4b29d6e339"><strong>Script to make a VPS more secure</strong></a><i>(This Gist)</i><br/> • <a href="https://gist.github.com/Potherca/556b7a2bdff6318bb5932bcf7ef60379">Scripts to install Potherca projects on OVH VPS</a><br/> </kbd> @@ -24,7 +24,7 @@ The script is meant to be run _once_ directly after first login (as root) in a c 3. Run the main script ``` git clone https://gist.github.com/d0faa172e0244c1f9f8e5a4b29d6e339.git secure-server bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd' ``` @@ -33,7 +33,7 @@ bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd' To install this project, clone the repository: ``` git clone https://gist.github.com/d0faa172e0244c1f9f8e5a4b29d6e339.git secure-server ``` ## Usage @@ -45,7 +45,7 @@ The script requires one parameter, the name of the user to create. Example: ``` bash ./secure-server/secure-server.sh 'myusername' 'My $3cr3t P@$$w0rd' ``` ## Details @@ -61,8 +61,6 @@ To make the server more secure, the script does the following: 7. Setup [fail2ban](https://github.com/fail2ban/fail2ban) to help mitigate DDOS attacks 8. Remove the password associated with the "root" user The following advice was specifically _**not**_ followed: - **Re-generate the RSA and ED25519 keys**<br/> This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,10 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -87,10 +87,6 @@ secure_server(){ # Copy/Create/Remove files # ========================================================================== # -------------------------------------------------------------------------- # Setup sshd configuration # -------------------------------------------------------------------------- @@ -118,7 +114,7 @@ secure_server(){ # -------------------------------------------------------------------------- # Regenerate Moduli used by SSH server for key exchange ssh-keygen -M generate -O bits=2048 moduli-2048.candidates ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 mv moduli-2048 /etc/ssh/moduli # -------------------------------------------------------------------------- This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -60,7 +60,7 @@ UsePAM yes # PrintMotd (Message of the Day) is shown after login (from `/etc/motd`) # ------------------------------------------------------------------------------ # Banner none PrintMotd no # ------------------------------------------------------------------------------ # Change Hostkey Preference -
Oct 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,7 +117,7 @@ secure_server(){ # -------------------------------------------------------------------------- # Regenerate Moduli used by SSH server for key exchange ssh-keygen -M generate -O bits=2048 moduli-2048.candidates ssh-keygen -T moduli-2048 -f moduli-2048.candidates mv moduli-2048 /etc/ssh/moduli -
Potherca revised this gist
Dec 25, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -99,7 +99,7 @@ secure_server(){ mv /etc/ssh/sshd_config /etc/ssh/sshd_config.backup # Use the suggested sshd settings instead cp "${sPath}/sshd.conf" /etc/ssh/sshd_config # Make sure nothing is wrong with the changed SSH settings sshd -t || { -
Dec 25, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -99,7 +99,7 @@ secure_server(){ mv /etc/ssh/sshd_config /etc/ssh/sshd_config.backup # Use the suggested sshd settings instead cp "${sPath}/sshd.conf" /etc/ssh/ssh_config # Make sure nothing is wrong with the changed SSH settings sshd -t || { -
Dec 25, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -44,7 +44,7 @@ secure_server(){ # Create a regular user and add them to the sudo and ssh-user groups useradd \ --create-home \ --comment '' \ --groups 'ssh-user,sudo' \ --password "$(openssl passwd -1 "${sPassword}")" \ "${sUserName}" -
Dec 25, 2019 . 1 changed file with 7 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,12 +41,13 @@ secure_server(){ groupadd ssh-user # -------------------------------------------------------------------------- # Create a regular user and add them to the sudo and ssh-user groups useradd \ --create-home \ --gecos '' \ --groups 'ssh-user,sudo' \ --password "$(openssl passwd -1 "${sPassword}")" \ "${sUserName}" # ========================================================================== # Install Applications -
Dec 25, 2019 . 2 changed files with 31 additions and 20 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,7 +25,7 @@ The script is meant to be run _once_ directly after first login (as root) in a c ``` git clone https://gist.github.com/fbfc656f62a91e67820019bc0aa64256.git secure-server bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd' ``` ## Installation @@ -45,7 +45,7 @@ The script requires one parameter, the name of the user to create. Example: ``` bash ./secure-server/secure-server.sh 'potherca' 'My $3cr3t P@$$w0rd' ``` ## Details This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,7 +27,8 @@ secure_server(){ exit 1 fi sUserName="${1?Two parameters required: <user-name> <password>}" sPassword="${2?Two parameters required: <user-name> <password>}" sPath="$(realpath "$(dirname "${BASH_SOURCE[0]}")")" @@ -40,13 +41,12 @@ secure_server(){ groupadd ssh-user # -------------------------------------------------------------------------- # Create a regular user and add the user to sudo and ssh groups adduser "${sUserName}" \ --create-home \ --gecos '' \ --groups 'ssh-user,sudo' \ --password "$(openssl passwd -1 "${sPassword}")" # ========================================================================== # Install Applications @@ -64,20 +64,23 @@ secure_server(){ # Install google-authenticator to enable using 2FA (Two Factor Authentication) # -------------------------------------------------------------------------- apt-get install \ -y \ sudo \ fail2ban \ libpam-google-authenticator # -------------------------------------------------------------------------- # Setup 2FA (Two Factor Authentication) for provided user sudo -u "${sUserName}" \ google-authenticator \ --disallow-reuse \ --emergency-codes=10 \ --force \ --qr-mode=none \ --rate-limit=3 \ --rate-time=30 \ --time-based \ --window-size=5 # ========================================================================== # Copy/Create/Remove files @@ -98,7 +101,10 @@ secure_server(){ cp "${sPath}/ssh.config" /etc/ssh/ssh_config # Make sure nothing is wrong with the changed SSH settings sshd -t || { echo "Please fix the problem stated above and run $0 again" >&2 exit 64 } # -------------------------------------------------------------------------- # Setup Fail2Ban configuration @@ -126,10 +132,15 @@ secure_server(){ sudo service fail2ban restart sudo service ssh restart sudo systemctl reload sshd # ============================================================================== # If everything went well, lock the door behind us # ============================================================================== # -------------------------------------------------------------------------- # Clear the history cat /dev/null > ~/.bash_history && history -c # -------------------------------------------------------------------------- # Remove the password associated with the "root" user echo 'root:*' | chpasswd -e -
Dec 25, 2019 . 2 changed files with 14 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,6 +15,8 @@ This project contains script(s) and files that make a fresh VPS more secure. The script is meant to be run _once_ directly after first login (as root) in a clean VPS. **⚠️ Please be aware that after the script has run it is impossible to log in as root! ⚠️** ## Quickstart 1. Log in to the VPS @@ -53,11 +55,11 @@ To make the server more secure, the script does the following: 1. Create a regular user (with restricted rights) 2. Add the new user to the (newly created) group specifically for ssh-users 3. Add the new user to the (already existing) group specifically for sudo users 4. Setup SSH Daemon configuration (as advised by various reputable online sources) 5. Regenerate Diffie-Hellman Moduli (used by SSH server for key exchange) and remove small (potentially unsafe) moduli 6. Setup 2FA (Two Factor Authentication) using [Google Authenticator PAM module](https://github.com/google/google-authenticator-libpam) 7. Setup [fail2ban](https://github.com/fail2ban/fail2ban) to help mitigate DDOS attacks 8. Remove the password associated with the "root" user For fun it also adds a SSH banner. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,10 +35,6 @@ secure_server(){ # Setup users and user-groups # ========================================================================== # -------------------------------------------------------------------------- # Create a group for ssh-users groupadd ssh-user @@ -130,6 +126,13 @@ secure_server(){ sudo service fail2ban restart sudo service ssh restart sudo systemctl reload sshd # ============================================================================== # If everything went well, lock the door behind us # ============================================================================== # -------------------------------------------------------------------------- # Remove the password associated with the "root" user echo 'root:*' | chpasswd -e } if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then -
Dec 24, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ <kbd> 📝️ This document is part of several gists related to installing things on OVH VPS:<br/> • <a href="https://gist.github.com/Potherca/6afcbae99bd43720571d3abb322f8465/">All steps to a clean OVH VPS install</a><br/> • <a href="https://gist.github.com/Potherca/fbfc656f62a91e67820019bc0aa64256"><strong>Script to make a VPS more secure</strong></a><i>(This Gist)</i><br/> • <a href="https://gist.github.com/Potherca/556b7a2bdff6318bb5932bcf7ef60379">Scripts to install Potherca projects on OVH VPS</a><br/> </kbd> -
Dec 24, 2019 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,10 @@ <kbd> 📝️ This document is part of several gists related to installing things on OVH VPS:<br/> • <a href="https://gist.github.com/Potherca/6afcbae99bd43720571d3abb322f8465/">All steps to a clean OVH VPS install</a><br/> • <a href="https://gist.github.com/Potherca/fbfc656f62a91e67820019bc0aa64256"><strong>Script to make a VPS more secure</strong></a><i>(This Gist)<i><br/> • <a href="https://gist.github.com/Potherca/556b7a2bdff6318bb5932bcf7ef60379">Scripts to install Potherca projects on OVH VPS</a><br/> </kbd> # Securing a (Virtual Private) Server In 2019 I moved various web-apps I have created to a VPS (hosted by OVH). -
Dec 24, 2019 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ The script is meant to be run _once_ directly after first login (as root) in a c 3. Run the main script ``` git clone https://gist.github.com/fbfc656f62a91e67820019bc0aa64256.git secure-server bash ./secure-server/secure-server.sh potherca ``` @@ -24,7 +24,7 @@ bash ./secure-server/secure-server.sh potherca To install this project, clone the repository: ``` git clone https://gist.github.com/fbfc656f62a91e67820019bc0aa64256.git secure-server ``` ## Usage -
Dec 23, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -63,7 +63,7 @@ The following advice was specifically _**not**_ followed: - **Remove `/etc/ssh/ssh_host_*` keys**<br/> Instead, the `HostKey` setting is used to explicitly set which keys to use - **Change the password associated with the "root" user**<br/> The password is removed entirely, rather than changed. - **Change the port for SSH**<br/> -
Dec 19, 2019 . 3 changed files with 41 additions and 29 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,18 +43,34 @@ bash ./secure-server/secure-server.sh potherca To make the server more secure, the script does the following: 1. Create a regular user (with restricted rights) 2. Add the new user to the (newly created) group specifically for ssh-users 3. Add the new user to the (already existing) group specifically for sudo users 4. Remove the password associated with the "root" user 5. Setup SSH Daemon configuration (as advised by various reputable online sources) 6. Regenerate Diffie-Hellman Moduli (used by SSH server for key exchange) and remove small (potentially unsafe) moduli 7. Setup 2FA (Two Factor Authentication) using [Google Authenticator PAM module](https://github.com/google/google-authenticator-libpam) 8. Setup [fail2ban](https://github.com/fail2ban/fail2ban) to help mitigate DDOS attacks For fun it also adds a SSH banner. The following advice was specifically _**not**_ followed: - **Re-generate the RSA and ED25519 keys**<br/> Not needed as the script is run on a freshly installed VPS. This means the keys have just been generated. Re-generating does not have much benefit. - **Remove `/etc/ssh/ssh_host_*` keys**<br/> Instead, the `HostKey` setting is used to explicitly set which keys to use - **Change the password associated with the "root" user **<br/> The password is removed entirely, rather than changed. - **Change the port for SSH**<br/> The argument _for_ changing the SSH port is to lessen the amount of hits to the standard port 22. However, from personal experience, I don't see any less port scans on the chnaged port. Also, changing the port means one has to remember which port SSH was changed to. ## Sources The following sources (in no particular order) were used to create this project: @@ -65,9 +81,11 @@ The following sources (in no particular order) were used to create this project: - https://stribika.github.io/2015/01/04/secure-secure-shell.html - https://www.ssh-audit.com/hardening_guides.html My thanks also goes out to @mjrider for sanity checks. ## License This project has been created by [Potherca](https://pother.ca) and is licensed under a **GPL-3.0+ License**. (GNU General Public License v3.0 or later). > Copyright (C) 2019 Potherca This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,17 +36,21 @@ secure_server(){ # ========================================================================== # -------------------------------------------------------------------------- # Remove the password associated with the "root" user echo 'root:*' | chpasswd -e # -------------------------------------------------------------------------- # Create a group for ssh-users groupadd ssh-user # -------------------------------------------------------------------------- # Create a regular user (with restricted rights) adduser "${sUserName}" # -------------------------------------------------------------------------- # Add the normal user to sudo and ssh groups usermod -aG ssh-user "${sUserName}" usermod -aG sudo "${sUserName}" # ========================================================================== # Install Applications @@ -64,6 +68,7 @@ secure_server(){ # Install google-authenticator to enable using 2FA (Two Factor Authentication) # -------------------------------------------------------------------------- apt-get install \ sudo \ fail2ban \ libpam-google-authenticator @@ -100,19 +105,13 @@ secure_server(){ sshd -t # -------------------------------------------------------------------------- # Setup Fail2Ban configuration cp "${sPath}/fail2ban.conf" /etc/fail2ban/jail.local # -------------------------------------------------------------------------- # Add the Google Authenticator to the PAM rule file for SSH echo 'auth required pam_google_authenticator.so' >> /etc/pam.d/sshd # -------------------------------------------------------------------------- # Regenerate Moduli used by SSH server for key exchange ssh-keygen -G moduli-2048.candidates -b 2048 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,11 +26,6 @@ ClientAliveInterval 300 # ------------------------------------------------------------------------------ AllowGroups ssh-user # ------------------------------------------------------------------------------ # Limit number of login attempts # ------------------------------------------------------------------------------ -
Dec 19, 2019 . 6 changed files with 346 additions and 43 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,85 @@ # Securing a (Virtual Private) Server In 2019 I moved various web-apps I have created to a VPS (hosted by OVH). I strongly believe in automating things and making virtual setups easy to throw away/start again. This project contains script(s) and files that make a fresh VPS more secure. The script is meant to be run _once_ directly after first login (as root) in a clean VPS. ## Quickstart 1. Log in to the VPS 2. Clone this repository 3. Run the main script ``` git clone [email protected]:fbfc656f62a91e67820019bc0aa64256.git secure-server bash ./secure-server/secure-server.sh potherca ``` ## Installation To install this project, clone the repository: ``` git clone [email protected]:fbfc656f62a91e67820019bc0aa64256.git secure-server ``` ## Usage To use this project, run the main script. The script requires one parameter, the name of the user to create. Example: ``` bash ./secure-server/secure-server.sh potherca ``` ## Details To make the server more secure, the script does the following: 1. Setup SSH Daemon and configuration as advised by various reputable online sources 1. Re-generate the RSA and ED25519 keys 2. Regenerate Moduli used by SSH server for key exchange 3. Remove small Diffie-Hellman moduli 2. Setup 2FA (Two Factor Authentication) using Google Authenticator 3. Setup fail2ban to help mitigate DDOS attacks 4. Change the password associated with the "root" user 5. Create a "normal" user (with restricted rights) 6. Create a group for ssh-users for the normal user For fun it also adds a SSH banner. ## Sources The following sources (in no particular order) were used to create this project: - https://docs.ovh.com/gb/en/vps/tips-for-securing-a-vps/ - https://infosec.mozilla.org/guidelines/openssh - https://linux-audit.com/audit-and-harden-your-ssh-configuration/ - https://stribika.github.io/2015/01/04/secure-secure-shell.html - https://www.ssh-audit.com/hardening_guides.html ## License This project has been created by [Potherca](https://pother.ca).and is licensed under a **GPL-3.0+ License**. (GNU General Public License v3.0 or later). > Copyright (C) 2019 Potherca > > This program is free software: you can redistribute it and/or modify it under > the terms of the GNU General Public License as published by the Free Software > Foundation, either version 3 of the License, or (at your option) any later > version. > > This program is distributed in the hope that it will be useful, but WITHOUT > ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS > FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. > > You should have received a copy of the GNU General Public License along with > this program. If not, see <http://www.gnu.org/licenses/>. This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,10 @@ ██▓███ ▒█████ ▄▄▄█████▓ ██░ ██ ▓█████ ██▀███ ▄████▄ ▄▄▄ ▓██░ ██▒▒██▒ ██▒▓ ██▒ ▓▒▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▒████▄ ▓██░ ██▓▒▒██░ ██▒▒ ▓██░ ▒░▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒██ ▀█▄ ▒██▄█▓▒ ▒▒██ ██░░ ▓██▓ ░ ░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒░██▄▄▄▄██ ▒██▒ ░ ░░ ████▓▒░ ▒██▒ ░ ░▓█▒░██▓░▒████▒░██▓ ▒██▒▒ ▓███▀ ░ ▓█ ▓██▒ ▒▓▒░ ░ ░░ ▒░▒░▒░ ▒ ░░ ▒ ░░▒░▒░░ ▒░ ░░ ▒▓ ░▒▓░░ ░▒ ▒ ░ ▒▒ ▓▒█░ ░▒ ░ ░ ▒ ▒░ ░ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ▒ ▒▒ ░ ░░ ░ ░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,18 @@ # ============================================================================== # This file makes use of version 0.9 config. It overrides settings from the # default configuration in /etc/fail2ban/jail.conf # ------------------------------------------------------------------------------ [default] bantime = 900 findtime = 600 maxfailures = 3 [sshd] enabled = true maxretry = 3 [apache-noscript] bantime = 43200 enabled = true maxretry = 3 # ============================================================================== This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,43 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,142 @@ #!/usr/bin/env bash # ============================================================================== # secure-server.sh # ------------------------------------------------------------------------------ # Copyright (C) 2019 Potherca # # This program is free software: you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free Software # Foundation, either version 3 of the License, or (at your option) any later # version. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program. If not, see <http://www.gnu.org/licenses/>. # ============================================================================== set -o errexit -o errtrace -o nounset -o pipefail secure_server(){ if [ "$(id -u)" != 0 ]; then echo "This script needs to be run as root." >&2 exit 1 fi sUserName="${1?One parameter required: <user-name>}" sPath="$(realpath "$(dirname "${BASH_SOURCE[0]}")")" # ========================================================================== # Setup users and user-groups # ========================================================================== # -------------------------------------------------------------------------- # Change the password associated with the user “root” passwd root # -------------------------------------------------------------------------- # Creating a user with restricted rights, and intervening in the system with root rights adduser "${sUserName}" # -------------------------------------------------------------------------- # Create a group for ssh-users groupadd ssh-user usermod -a -G ssh-user "${sUserName}" # ========================================================================== # Install Applications # ========================================================================== # -------------------------------------------------------------------------- # Update the system # -------------------------------------------------------------------------- apt-get update apt-get upgrade # -------------------------------------------------------------------------- # Install Fail2Ban as it protects against sshd brute-force attacks # -------------------------------------------------------------------------- # Install google-authenticator to enable using 2FA (Two Factor Authentication) # -------------------------------------------------------------------------- apt-get install \ fail2ban \ libpam-google-authenticator # -------------------------------------------------------------------------- # Setup 2FA (Two Factor Authentication) google-authenticator \ --disallow-reuse \ --emergency-codes=10 \ --qr-mode=none \ --rate-limit=3 \ --rate-time=30 \ --time-based \ --window-size=5 # ========================================================================== # Copy/Create/Remove files # ========================================================================== # -------------------------------------------------------------------------- # Set up SSH banner cp "${sPath}/banner.txt" /etc/motd # -------------------------------------------------------------------------- # Setup sshd configuration # -------------------------------------------------------------------------- # Backup the original sshd settings mv /etc/ssh/sshd_config /etc/ssh/sshd_config.backup # Use the suggested sshd settings instead cp "${sPath}/ssh.config" /etc/ssh/ssh_config # Make sure nothing is wrong with the changed SSH settings sshd -t # -------------------------------------------------------------------------- # Install and setup Fail2Ban as it protects against sshd brute-force attacks cp "${sPath}/fail2ban.conf" /etc/fail2ban/jail.local # -------------------------------------------------------------------------- # Edit the PAM rule file echo 'auth required pam_google_authenticator.so' >> /etc/pam.d/sshd # -------------------------------------------------------------------------- # Re-generate the RSA and ED25519 keys rm /etc/ssh/ssh_host_*key* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null # -------------------------------------------------------------------------- # Regenerate Moduli used by SSH server for key exchange ssh-keygen -G moduli-2048.candidates -b 2048 ssh-keygen -T moduli-2048 -f moduli-2048.candidates mv moduli-2048 /etc/ssh/moduli # -------------------------------------------------------------------------- # Remove small Diffie-Hellman moduli awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli # ============================================================================== # Load the changed configuration by restarting services # ============================================================================== sudo service fail2ban restart sudo service ssh restart sudo systemctl reload sshd } if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then export -f secure_server else secure_server "${@}" exit $? fi # ============================================================================== This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,91 @@ # ============================================================================== # For all config settings see: https://man.openbsd.org/sshd_config # ============================================================================== # ------------------------------------------------------------------------------ # Set to newest protocol # ------------------------------------------------------------------------------ Protocol 2 # ------------------------------------------------------------------------------ # Disable Root # ------------------------------------------------------------------------------ PermitRootLogin no # ------------------------------------------------------------------------------ # Disconnect Idle Sessions # ------------------------------------------------------------------------------ # Number of times to check before disconnecting ClientAliveCountMax 2 # ------------------------------------------------------------------------------ # Number of seconds of inactivity after which to check client session ClientAliveInterval 300 # ------------------------------------------------------------------------------ # Whitelist Users # ------------------------------------------------------------------------------ AllowGroups ssh-user # ------------------------------------------------------------------------------ # Change SSH Port # ------------------------------------------------------------------------------ Port 77 # ------------------------------------------------------------------------------ # Limit number of login attempts # ------------------------------------------------------------------------------ MaxAuthTries 3 # ------------------------------------------------------------------------------ # Check if the client connecting maps back to the same hostname and IP address. # ------------------------------------------------------------------------------ # Only use this when you are sure your internal DNS is properly configured (HOW TO KNOW?) # ------------------------------------------------------------------------------ # UseDNS yes # ------------------------------------------------------------------------------ # Disable Password Authentication to force users to use SSH keys # ------------------------------------------------------------------------------ # This will not work for Chromebook without extra work. It should also only be # used AFTER the user has logged in with SSH only. HOW TO CHECK THIS? # ------------------------------------------------------------------------------ # PasswordAuthentication no # PubkeyAuthentication yes # ------------------------------------------------------------------------------ # Use Google Authenticator for 2FA # ------------------------------------------------------------------------------ ChallengeResponseAuthentication yes UsePAM yes # ------------------------------------------------------------------------------ # Banners # # Banner is shown before login (default is `/etc/issue.net`, path can be changed) # PrintMotd (Message of the Day) is shown after login (from `/etc/motd`) # ------------------------------------------------------------------------------ # Banner none PrintMotd yes # ------------------------------------------------------------------------------ # Change Hostkey Preference # ------------------------------------------------------------------------------ HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key # ------------------------------------------------------------------------------ # Restrict supported key exchange, cipher, and MAC algorithms # # The first two KexAlgorithms entries should be enough but some servers like # Github and Heroku (sometimes) require SHA # ------------------------------------------------------------------------------ # There are some contradicting instructions in online sources regarding these: # # KexAlgorithms (?) curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, # MACs (?) hmac-sha2-512,hmac-sha2-256,[email protected] # ------------------------------------------------------------------------------ Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 MACs [email protected],[email protected],[email protected] #EOF -
Apr 26, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,43 @@ #!/usr/bin/env bash set -o errexit -o errtrace -o nounset -o pipefail # This scripts goes through all the steps in https://docs.ovh.com/gb/en/vps/tips-for-securing-a-vps/ secure-ovh-vps(){ sPort="${1?Two parameters required: <ssh-port> <user-name>}" sUser="${2?Two parameters required: <ssh-port> <user-name>}" # Update your system apt-get update apt-get upgrade # Change the default SSH listening port echo "Port ${sPort}" >> /etc/ssh/sshd_config /etc/init.d/ssh restart # Change the password associated with the user “root” passwd root # Creating a user with restricted rights, and intervening in the system with root rights adduser "${sUser}" # Disable server access via the root user echo "PermitRootLogin no" >> /etc/ssh/sshd_config /etc/init.d/ssh restart # Install and configure the Fail2ban package apt-get install fail2ban # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup # nano /etc/fail2ban/jail.conf # /etc/init.d/fail2ban restart } if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then export -f secure-ovh-vps else secure-ovh-vps "${@}" exit $? fi #EOF