Update 8 files
- /home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl - /home/.chezmoidata.yaml - /home/dot_ssh/system/sshd_config.tmpl - /home/dot_ssh/system/banner - /home/dot_ssh/system/run_onchanges_after_sshd.tmpl - /home/dot_ssh/fail2ban/jail.local.tmpl - /home/.chezmoi.yaml.tmpl - /software.yml
This commit is contained in:
parent
86218cc831
commit
45355db9c5
8 changed files with 200 additions and 0 deletions
|
@ -137,6 +137,10 @@ data:
|
||||||
dns:
|
dns:
|
||||||
primary: 10.0.0.1#dns.megabyte.space
|
primary: 10.0.0.1#dns.megabyte.space
|
||||||
secondary: 1.1.1.1#cloudflare-dns.com
|
secondary: 1.1.1.1#cloudflare-dns.com
|
||||||
|
ssh:
|
||||||
|
allowTCPForwarding: no
|
||||||
|
allowUsers: {{ output "echo" "$USER" }}
|
||||||
|
port: 2214
|
||||||
vpn:
|
vpn:
|
||||||
excludedSubnets:
|
excludedSubnets:
|
||||||
- 10.0.0.0/24
|
- 10.0.0.0/24
|
||||||
|
|
|
@ -19,6 +19,7 @@ colors:
|
||||||
color14: '#EB71AD'
|
color14: '#EB71AD'
|
||||||
color15: '#24E5FF'
|
color15: '#24E5FF'
|
||||||
color16: '#FFFFFF'
|
color16: '#FFFFFF'
|
||||||
|
macosRemoteLogin: 'on'
|
||||||
themeparkTheme: aquamarine
|
themeparkTheme: aquamarine
|
||||||
config:
|
config:
|
||||||
gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
||||||
|
@ -638,6 +639,8 @@ softwareGroups:
|
||||||
- ruby
|
- ruby
|
||||||
SSH: &SSH
|
SSH: &SSH
|
||||||
- assh
|
- assh
|
||||||
|
- fail2ban
|
||||||
|
- openssh-server
|
||||||
- skm
|
- skm
|
||||||
- ssh-vault
|
- ssh-vault
|
||||||
- sshpass
|
- sshpass
|
||||||
|
|
|
@ -12,6 +12,9 @@ sudo echo "Sudo access granted."
|
||||||
# Log commands
|
# Log commands
|
||||||
set +x
|
set +x
|
||||||
|
|
||||||
|
# Enable SSH access
|
||||||
|
sudo systemsetup -setremotelogin {{ .macosRemoteLogin }}
|
||||||
|
|
||||||
# Close any open System Preferences panes, to prevent them from overriding
|
# Close any open System Preferences panes, to prevent them from overriding
|
||||||
# settings we’re about to change
|
# settings we’re about to change
|
||||||
osascript -e 'tell application "System Preferences" to quit'
|
osascript -e 'tell application "System Preferences" to quit'
|
||||||
|
|
4
home/dot_ssh/fail2ban/jail.local.tmpl
Normal file
4
home/dot_ssh/fail2ban/jail.local.tmpl
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
port = {{ .host.ssh.port }}
|
||||||
|
filter = sshd
|
5
home/dot_ssh/system/banner
Normal file
5
home/dot_ssh/system/banner
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
WARNING! Authorized use only. Your IP address has been logged.
|
||||||
|
|
||||||
|
If you choose to ignore this warning and discover a vulnerability
|
||||||
|
that you can explain how to remediate, then please contact brian@megabyte.space
|
||||||
|
for a bounty.
|
35
home/dot_ssh/system/run_onchanges_after_sshd.tmpl
Normal file
35
home/dot_ssh/system/run_onchanges_after_sshd.tmpl
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{{- if ne .host.distro.family "windows" }}
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
### Update /etc/ssh/sshd_config if environment is not WSL
|
||||||
|
if [[ ! "$(grep Microsoft /proc/version)" ]]; then
|
||||||
|
if [ -d /etc/ssh ]; then
|
||||||
|
logg info 'Copying ~/.ssh/system/banner to /etc/ssh/banner'
|
||||||
|
sudo cp -f "$HOME/.ssh/system/banner" /etc/ssh/banner
|
||||||
|
|
||||||
|
logg info 'Copying ~/.ssh/system/sshd_config to /etc/ssh/sshd_config'
|
||||||
|
sudo cp -f "$HOME/.ssh/system/sshd_config" /etc/ssh/sshd_config
|
||||||
|
|
||||||
|
### Restart SSH server
|
||||||
|
if [ -d /Applications ] && [ -d /System ]; then
|
||||||
|
# macOS
|
||||||
|
logg info 'Running `sudo launchctl stop com.openssh.sshd`'
|
||||||
|
sudo launchctl stop com.openssh.sshd
|
||||||
|
logg info 'Running `sudo launchctl start com.openssh.sshd`'
|
||||||
|
sudo launchctl start com.openssh.sshd
|
||||||
|
else
|
||||||
|
# Linux
|
||||||
|
logg info 'Enabling the `sshd` service'
|
||||||
|
sudo systemctl enable sshd
|
||||||
|
logg info 'Restarting the `sshd` service'
|
||||||
|
|
||||||
|
sudo service sshd restart
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
logg warn 'The /etc/ssh folder does not exist'
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
logg info 'Skipping sshd_config application since environment is WSL'
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{ end -}}
|
131
home/dot_ssh/system/sshd_config.tmpl
Normal file
131
home/dot_ssh/system/sshd_config.tmpl
Normal file
|
@ -0,0 +1,131 @@
|
||||||
|
# TODO - Figure out difference between /private/etc/ssh and /etc/ssh on macOS
|
||||||
|
|
||||||
|
Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
|
||||||
|
Port {{ .host.ssh.port }}
|
||||||
|
AddressFamily inet
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
### Host keys
|
||||||
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
### Ciphers and keyring
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
### Logging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
### Authentication
|
||||||
|
LoginGraceTime 60
|
||||||
|
{{ if ne .host.distro.family "windows" }}
|
||||||
|
PermitRootLogin no
|
||||||
|
{{ else }}
|
||||||
|
DenyGroups Administrators
|
||||||
|
{{ end }}
|
||||||
|
AllowUsers {{ .host.ssh.allowUsers }}
|
||||||
|
#StrictModes yes
|
||||||
|
MaxAuthTries 3
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
AuthenticationMethods publickey
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
PasswordAuthentication no
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
{{ if ne .host.distro.family "windows" }}
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
UsePAM yes
|
||||||
|
|
||||||
|
{{ if ne .host.distro.family "windows" }}
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
AllowTcpForwarding {{ .host.ssh.allowTCPForwarding }}
|
||||||
|
|
||||||
|
#GatewayPorts no
|
||||||
|
X11Forwarding no
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
#PrintMotd yes
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
#Compression delayed
|
||||||
|
ClientAliveInterval 60
|
||||||
|
ClientAliveCountMax 3
|
||||||
|
UseDNS no
|
||||||
|
# Experiment with this
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# pass locale information
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
Banner /etc/ssh/banner
|
||||||
|
|
||||||
|
# override default of no subsystems
|
||||||
|
# TODO - Figure out how to detect the sftp path to place here. i.e. replicate the following Ansible logic
|
||||||
|
# using Go templating:
|
||||||
|
# - name: Find the path of the sftp-server executable
|
||||||
|
# find:
|
||||||
|
# paths: /usr
|
||||||
|
# file_type: file
|
||||||
|
# patterns: '*sftp-server'
|
||||||
|
# recurse: true
|
||||||
|
# register: sftp_executable
|
||||||
|
#Subsystem sftp {/{ sftp_executable.files[0].path | default('internal-sftp') }/}
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
||||||
|
{{ end }}
|
15
software.yml
15
software.yml
|
@ -8275,6 +8275,21 @@ softwarePackages:
|
||||||
- docker-ce
|
- docker-ce
|
||||||
- docker-ce-cli
|
- docker-ce-cli
|
||||||
- docker-compose-plugin
|
- docker-compose-plugin
|
||||||
|
openssh-server:
|
||||||
|
_service: sshd
|
||||||
|
_when: '! "$(grep Microsoft /proc/version)"'
|
||||||
|
apt: openssh-server
|
||||||
|
dnf: openssh-server
|
||||||
|
pacman: openssh
|
||||||
|
fail2ban:
|
||||||
|
_service: fail2ban
|
||||||
|
# fail2ban cannot be installed on Qubes Fedora 36 without messing with the qubes-firewall since firewalld is required
|
||||||
|
_when: '! command -v qubes-firewall > /dev/null && ! "$(grep Microsoft /proc/version)"'
|
||||||
|
apt: fail2ban
|
||||||
|
brew: fail2ban
|
||||||
|
dnf: fail2ban
|
||||||
|
pacman: fail2ban
|
||||||
|
port: fail2ban
|
||||||
boringtun:
|
boringtun:
|
||||||
_bin: boringtun-cli
|
_bin: boringtun-cli
|
||||||
_desc: BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
|
_desc: BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
|
||||||
|
|
Loading…
Reference in a new issue