diff --git a/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl index d3c14ca7..f6fcfc9f 100644 --- a/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl +++ b/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl @@ -17,11 +17,51 @@ # * [Endlessh GitHub repository](https://github.com/skeeto/endlessh) # * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl) +# @file Endlessh Configuration +# @brief This script configures Endlessh by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if the `endlessh` application is available +# @description +# This script applies the Endlessh configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if endlessh is installed. +# Endlessh is and SSH Tarpit configured to listen for incoming connection on the given port and respond slowly with a random, endless SSH banner. To protect the real server, +# configure Endlessh to listen on the default SSH port (22), while the real server listens to a different port. +# +# ## Configuration Variables +# +# The following chart details the input variable(s) that are used to determine the configuration of the endlessh: +# +# | Variable | Description | +# |-----------------|------------------------------------------------------------| +# | `endlesshPort` | The port that endlessh listens to for incoming connections | +# +# ## Links +# +# * [Default Endlessh configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/endlessh/config.tmpl) +# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets) + # endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}} {{ includeTemplate "universal/profile" }} {{ includeTemplate "universal/logg" }} +### Configures endlessh service +function configureEndlessh() { + ### Update the service configuration file + logg info 'Updating `endlessh` service configuration file' + sudo sed -i 's/^.*#AmbientCapabilities=CAP_NET_BIND_SERVICE/AmbientCapabilities=CAP_NET_BIND_SERVICE/' /usr/lib/systemd/system/endlessh.service + sudo sed -i 's/^.*PrivateUsers=true/#PrivateUsers=true/' /usr/lib/systemd/system/endlessh.service + logg info 'Reloading systemd' + sudo systemctl daemon-reload + + ### Update capabilities of `endlessh` + logg info 'Updating capabilities of `endlessh`' + sudo setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh + + ### Restart / enable Endlessh + logg info 'Enabling the `endlessh` service' + sudo systemctl enable endlessh + logg info 'Restarting the `endlessh` service' + sudo systemctl restart endlessh +} + ### Update /etc/endlessh/config if environment is not WSL if [[ ! "$(test -d proc && grep Microsoft /proc/version > /dev/null)" ]]; then if command -v endlessh > /dev/null; then @@ -29,13 +69,24 @@ if [[ ! "$(test -d proc && grep Microsoft /proc/version > /dev/null)" ]]; then logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh/config' sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh/config - ### Restart / enable Endlessh - logg info 'Enabling the `endlessh` service' - sudo systemctl enable endlessh - logg info 'Restarting the `endlessh` service' - sudo systemctl restart endlessh + configureEndlessh || CONFIGURE_EXIT_CODE=$? + if [ -n "$CONFIGURE_EXIT_CODE" ]; then + logg error 'Configuring `endlessh` service failed' && exit 1 + else + logg success 'Successfully configured `endlessh` service' + fi + elif [ -f /etc/endlessh.conf ]; then + logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh.conf' + sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh.conf + + configureEndlessh || CONFIGURE_EXIT_CODE=$? + if [ -n "$CONFIGURE_EXIT_CODE" ]; then + logg error 'Configuring `endlessh` service failed' && exit 1 + else + logg success 'Successfully configured `endlessh` service' + fi else - logg warn 'The /etc/endlessh folder does not exist' + logg warn 'Neither the /etc/endlessh folder nor the /etc/endlessh.conf file exist' fi else logg info 'Skipping Endlessh configuration because the `endlessh` executable is not available in the PATH' diff --git a/software.yml b/software.yml index 1a66e1af..4e156e86 100644 --- a/software.yml +++ b/software.yml @@ -6959,7 +6959,7 @@ softwarePackages: # ansible:linux: professormanhattan.sshtarpit apt: endlessh dnf:fedora: endlessh - pacman: endlessh-git + yay: endlessh-git ssl-proxy: _bin: null _desc: Simple zero-config SSL reverse proxy with real autogenerated certificates