سختسازی امنیت SSH
اسکریپتی که سرور SSH را امن میکند، حملات brute-force را جلوگیری میکند و بهترین روشهای امنیتی را اعمال میکند.
منتشر شده: 2024/03/20
کد
#!/bin/bash
# SSH Hardening Script
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}.backup.$(date +%Y%m%d_%H%M%S)"
echo "======================================"
echo " SSH HARDENING SCRIPT"
echo "======================================"
echo ""
echo "1. Creating backup..."
cp "$SSHD_CONFIG" "$BACKUP_FILE"
echo "✓ Backup created: $BACKUP_FILE"
echo ""
read -p "Change SSH port from 22? (y/n): " CHANGE_PORT
if [ "$CHANGE_PORT" = "y" ]; then
read -p "Enter new SSH port (1024-65535): " NEW_PORT
sed -i "s/^#*Port .*/Port $NEW_PORT/" "$SSHD_CONFIG"
echo "✓ SSH port changed to $NEW_PORT"
echo " Remember to update your firewall!"
fi
echo ""
echo "2. Disabling root login..."
sed -i "s/^#*PermitRootLogin .*/PermitRootLogin no/" "$SSHD_CONFIG"
echo "✓ Root login disabled"
echo ""
read -p "Disable password authentication? (Requires SSH key setup) (y/n): " DISABLE_PASS
if [ "$DISABLE_PASS" = "y" ]; then
sed -i "s/^#*PasswordAuthentication .*/PasswordAuthentication no/" "$SSHD_CONFIG"
echo "✓ Password authentication disabled"
echo " ⚠️ Make sure you have SSH keys configured!"
fi
echo ""
echo "3. Applying security settings..."
sed -i "s/^#*PermitEmptyPasswords .*/PermitEmptyPasswords no/" "$SSHD_CONFIG"
sed -i "s/^#*MaxAuthTries .*/MaxAuthTries 3/" "$SSHD_CONFIG"
sed -i "s/^#*LoginGraceTime .*/LoginGraceTime 20/" "$SSHD_CONFIG"
sed -i "s/^#*X11Forwarding .*/X11Forwarding no/" "$SSHD_CONFIG"
cat >> "$SSHD_CONFIG" << EOF
# Security hardening
Protocol 2
HostbasedAuthentication no
IgnoreRhosts yes
UsePAM yes
ClientAliveInterval 300
ClientAliveCountMax 2
MaxSessions 3
EOF
echo "✓ Security settings applied"
echo ""
echo "4. Installing fail2ban..."
if command -v apt-get &> /dev/null; then
apt-get update && apt-get install -y fail2ban
elif command -v yum &> /dev/null; then
yum install -y fail2ban
fi
if [ -f /etc/fail2ban/jail.local ]; then
cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local.backup
fi
cat > /etc/fail2ban/jail.local << EOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
EOF
systemctl enable fail2ban
systemctl restart fail2ban
echo "✓ fail2ban installed and configured"
echo ""
echo "5. Testing SSH configuration..."
sshd -t
if [ $? -eq 0 ]; then
echo "✓ Configuration is valid"
echo ""
read -p "Apply changes and restart SSH? (y/n): " RESTART
if [ "$RESTART" = "y" ]; then
systemctl restart sshd
echo "✓ SSH service restarted"
fi
else
echo "✗ Configuration has errors!"
echo "Restoring backup..."
cp "$BACKUP_FILE" "$SSHD_CONFIG"
exit 1
fi
echo ""
echo "======================================"
echo " SSH HARDENING COMPLETED"
echo "======================================"
echo ""
echo "Summary of changes:"
echo "- Root login: DISABLED"
echo "- Max auth tries: 3"
echo "- Login grace time: 20 seconds"
echo "- fail2ban: ENABLED"
[ "$CHANGE_PORT" = "y" ] && echo "- SSH port: $NEW_PORT"
[ "$DISABLE_PASS" = "y" ] && echo "- Password auth: DISABLED"
echo ""
echo "⚠️ IMPORTANT:"
echo "1. Test your SSH connection in a new terminal"
echo "2. Keep this terminal open until you verify access"
echo "3. Update firewall if you changed the port"
echo "4. Make sure you have SSH keys if you disabled passwords"نحوه استفاده
# Run as root
sudo chmod +x ssh_hardening.sh
sudo ./ssh_hardening.sh
# Generate SSH key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Copy key to server
ssh-copy-id user@server
# Check fail2ban status
sudo fail2ban-client status sshd