2023-02-01 12:45:33 -08:00
{{- if eq .host.distro.family "linux" -}}
2023-01-28 19:49:06 -08:00
#!/usr/bin/env bash
2023-04-15 16:14:30 -07:00
# @file Endlessh Configuration
# @brief Applies the Endlessh configuration and starts the service on Linux systems
# @description
# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
# SSH port. It is intended to break unsophisticated malware that targets SSH.
#
# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
#
# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
#
# ## Links
#
# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
2023-01-28 19:49:06 -08:00
2023-05-06 18:42:45 -07:00
# @file Endlessh Configuration
# @brief This script configures Endlessh by applying the configuration stored in ` ${ XDG_DATA_HOME : - $ HOME / . ssh } /endlessh/config` if the `endlessh` application is available
# @description
# This script applies the Endlessh configuration stored in ` ${ XDG_DATA_HOME : - $ HOME / . ssh } /endlessh/config` if endlessh is installed.
# Endlessh is and SSH Tarpit configured to listen for incoming connection on the given port and respond slowly with a random, endless SSH banner. To protect the real server,
# configure Endlessh to listen on the default SSH port (22), while the real server listens to a different port.
#
# ## Configuration Variables
#
# The following chart details the input variable(s) that are used to determine the configuration of the endlessh:
#
# | Variable | Description |
# |-----------------|------------------------------------------------------------|
# | `endlesshPort` | The port that endlessh listens to for incoming connections |
#
# ## Links
#
# * [Default Endlessh configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/endlessh/config.tmpl)
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
2023-02-01 13:09:14 -08:00
# endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}
2023-01-28 19:49:06 -08:00
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
2023-05-06 18:42:45 -07:00
### Configures endlessh service
function configureEndlessh() {
### Update the service configuration file
2023-11-04 18:46:18 -07:00
logg info 'Updating endlessh service configuration file'
2023-05-06 18:42:45 -07:00
sudo sed -i 's/^.* #AmbientCapabilities = CAP_NET_BIND_SERVICE / AmbientCapabilities = CAP_NET_BIND_SERVICE / ' /usr/lib/systemd/system/endlessh.service
sudo sed -i 's/^.*PrivateUsers=true/ #PrivateUsers = true / ' /usr/lib/systemd/system/endlessh.service
logg info 'Reloading systemd'
sudo systemctl daemon-reload
### Update capabilities of `endlessh`
2023-11-04 18:46:18 -07:00
logg info 'Updating capabilities of endlessh'
2023-05-06 18:42:45 -07:00
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
### Restart / enable Endlessh
2023-11-04 18:46:18 -07:00
logg info 'Enabling the endlessh service'
2023-05-06 18:42:45 -07:00
sudo systemctl enable endlessh
2023-11-04 18:46:18 -07:00
logg info 'Restarting the endlessh service'
2023-05-06 18:42:45 -07:00
sudo systemctl restart endlessh
}
2023-01-28 19:49:06 -08:00
### Update /etc/endlessh/config if environment is not WSL
2023-02-15 19:14:33 -08:00
if [[ ! "$(test -d proc && grep Microsoft /proc/version > /dev/null)" ]]; then
2023-01-28 19:49:06 -08:00
if command -v endlessh > /dev/null; then
if [ -d /etc/endlessh ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh/config'
sudo cp -f " $ HOME /.ssh/endlessh/config" /etc/endlessh/config
2023-05-06 18:42:45 -07:00
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n " $ CONFIGURE_EXIT_CODE " ]; then
2023-11-04 18:46:18 -07:00
logg error 'Configuring endlessh service failed' && exit 1
2023-05-06 18:42:45 -07:00
else
2023-11-04 18:46:18 -07:00
logg success 'Successfully configured endlessh service'
2023-05-06 18:42:45 -07:00
fi
elif [ -f /etc/endlessh.conf ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh.conf'
sudo cp -f " $ HOME /.ssh/endlessh/config" /etc/endlessh.conf
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n " $ CONFIGURE_EXIT_CODE " ]; then
2023-11-04 18:46:18 -07:00
logg error 'Configuring endlessh service failed' && exit 1
2023-05-06 18:42:45 -07:00
else
2023-11-04 18:46:18 -07:00
logg success 'Successfully configured endlessh service'
2023-05-06 18:42:45 -07:00
fi
2023-01-28 19:49:06 -08:00
else
2023-05-06 18:42:45 -07:00
logg warn 'Neither the /etc/endlessh folder nor the /etc/endlessh.conf file exist'
2023-01-28 19:49:06 -08:00
fi
else
2023-11-04 18:46:18 -07:00
logg info 'Skipping Endlessh configuration because the endlessh executable is not available in the PATH'
2023-01-28 19:49:06 -08:00
fi
else
logg info 'Skipping Endlessh configuration since environment is WSL'
fi
{{ end -}}
