From 0937036155aeacff60a66106296e943723033f50 Mon Sep 17 00:00:00 2001 From: ReachableCEO Date: Wed, 2 Jul 2025 18:15:03 -0500 Subject: [PATCH] had inverse logic. fixed. still shouldn't have caused script to error though... hmm... --- ProjectCode/Modules/Security/secharden-ssh.sh | 69 +++++++++---------- 1 file changed, 31 insertions(+), 38 deletions(-) diff --git a/ProjectCode/Modules/Security/secharden-ssh.sh b/ProjectCode/Modules/Security/secharden-ssh.sh index 7651b25..7c99810 100644 --- a/ProjectCode/Modules/Security/secharden-ssh.sh +++ b/ProjectCode/Modules/Security/secharden-ssh.sh @@ -2,12 +2,6 @@ set -x -export framework_include_file -framework_include_file="" - -export project_include_file -project_include_file="" - for framework_include_file in ../../../Framework-Includes/*; do source "$framework_include_file" done @@ -16,12 +10,11 @@ for project_include_file in ../../../Project-Includes/*; do source "$project_include_file" done - export SUBODEV_CHECK -SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)" +SUBODEV_CHECK="$(getent passwd | grep -c subodev || true)" export LOCALUSER_CHECK -LOCALUSER_CHECK="$(getent passwd|grep -c localuser || true)" +LOCALUSER_CHECK="$(getent passwd | grep -c localuser || true)" export ROOT_SSH_DIR ROOT_SSH_DIR="/root/.ssh" @@ -32,51 +25,51 @@ LOCALUSER_SSH_DIR="/home/localuser/.ssh" export SUBODEV_SSH_DIR SUBODEV_SSH_DIR="/home/subodev/.ssh" -if [ ! -d $ROOT_SSH_DIR ]; then - mkdir /root/.ssh/ -fi +export NOT_UBUNTU_CHECK +NOT_UBUNTU_CHECK="$(distro | grep -c -v Ubuntu)" -curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys > /root/.ssh/authorized_keys -chmod 400 /root/.ssh/authorized_keys +if [ ! -d $ROOT_SSH_DIR ]; then + mkdir /root/.ssh/ +fi + +curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys >/root/.ssh/authorized_keys +chmod 400 /root/.ssh/authorized_keys chown root: /root/.ssh/authorized_keys - if [ "$LOCALUSER_CHECK" -gt 0 ]; then - if [ ! -d $LOCALUSER_SSH_DIR ]; then - mkdir -p /home/localuser/.ssh/ + if [ ! -d $LOCALUSER_SSH_DIR ]; then + mkdir -p /home/localuser/.ssh/ fi - curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys > /home/localuser/.ssh/authorized_keys \ - && chown localuser /home/localuser/.ssh/authorized_keys \ - && chmod 400 /home/localuser/.ssh/authorized_keys + curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/localuser/.ssh/authorized_keys && + chown localuser /home/localuser/.ssh/authorized_keys && + chmod 400 /home/localuser/.ssh/authorized_keys fi if [ "$SUBODEV_CHECK" = 1 ]; then -if [ ! -d $SUBODEV_SSH_DIR ]; then - mkdir /home/subodev/.ssh/ + if [ ! -d $SUBODEV_SSH_DIR ]; then + mkdir /home/subodev/.ssh/ + fi + + curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys >/home/subodev/.ssh/authorized_keys && + chmod 400 /home/subodev/.ssh/authorized_keys && + chown subodev: /home/subodev/.ssh/authorized_keys fi -curl --silent "${DL_ROOT}"/ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys > /home/subodev/.ssh/authorized_keys \ -&& chmod 400 /home/subodev/.ssh/authorized_keys \ -&& chown subodev: /home/subodev/.ssh/authorized_keys +cat ../../ConfigFiles/SSH/Configs/tsys-sshd-config >/etc/ssh/sshd_config + + +#Don't deploy this config to a ubuntu server, it breaks openssh server. Works on kali/debian. + +if [ "$NOT_UBUNTU_CHECK" -eq 1 ]; then + cat ../../ConfigFiles/SSH/Configs/ssh-audit-hardening.conf >/etc/ssh/sshd_config.d/ssh-audit_hardening.conf fi -cat ../../ConfigFiles/SSH/Configs/tsys-sshd-config > /etc/ssh/sshd_config - -export UBUNTU_CHECK -UBUNTU_CHECK="$(distro|grep -c Ubuntu)" - -#Don't deploy this config to a ubuntu server, it breaks openssh server. Works on kali/debian. - -if [ $UBUNTU_CHECK -eq 0 ]; then -cat ../../ConfigFiles/SSH/Configs/ssh-audit-hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf -fi - -# Perms on sshd_config +# Perms on sshd_config chmod og-rwx /etc/ssh/sshd_config chmod og-rwx /etc/ssh/sshd_config.d/* #todo -# only strong MAC algos are used \ No newline at end of file +# only strong MAC algos are used