Update 8 files
- /home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl - /home/.chezmoidata.yaml - /home/dot_ssh/system/sshd_config.tmpl - /home/dot_ssh/system/banner - /home/dot_ssh/system/run_onchanges_after_sshd.tmpl - /home/dot_ssh/fail2ban/jail.local.tmpl - /home/.chezmoi.yaml.tmpl - /software.yml
This commit is contained in:
parent
86218cc831
commit
45355db9c5
8 changed files with 200 additions and 0 deletions
|
@ -137,6 +137,10 @@ data:
|
|||
dns:
|
||||
primary: 10.0.0.1#dns.megabyte.space
|
||||
secondary: 1.1.1.1#cloudflare-dns.com
|
||||
ssh:
|
||||
allowTCPForwarding: no
|
||||
allowUsers: {{ output "echo" "$USER" }}
|
||||
port: 2214
|
||||
vpn:
|
||||
excludedSubnets:
|
||||
- 10.0.0.0/24
|
||||
|
|
|
@ -19,6 +19,7 @@ colors:
|
|||
color14: '#EB71AD'
|
||||
color15: '#24E5FF'
|
||||
color16: '#FFFFFF'
|
||||
macosRemoteLogin: 'on'
|
||||
themeparkTheme: aquamarine
|
||||
config:
|
||||
gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf
|
||||
|
@ -638,6 +639,8 @@ softwareGroups:
|
|||
- ruby
|
||||
SSH: &SSH
|
||||
- assh
|
||||
- fail2ban
|
||||
- openssh-server
|
||||
- skm
|
||||
- ssh-vault
|
||||
- sshpass
|
||||
|
|
|
@ -12,6 +12,9 @@ sudo echo "Sudo access granted."
|
|||
# Log commands
|
||||
set +x
|
||||
|
||||
# Enable SSH access
|
||||
sudo systemsetup -setremotelogin {{ .macosRemoteLogin }}
|
||||
|
||||
# Close any open System Preferences panes, to prevent them from overriding
|
||||
# settings we’re about to change
|
||||
osascript -e 'tell application "System Preferences" to quit'
|
||||
|
|
4
home/dot_ssh/fail2ban/jail.local.tmpl
Normal file
4
home/dot_ssh/fail2ban/jail.local.tmpl
Normal file
|
@ -0,0 +1,4 @@
|
|||
[sshd]
|
||||
enabled = true
|
||||
port = {{ .host.ssh.port }}
|
||||
filter = sshd
|
5
home/dot_ssh/system/banner
Normal file
5
home/dot_ssh/system/banner
Normal file
|
@ -0,0 +1,5 @@
|
|||
WARNING! Authorized use only. Your IP address has been logged.
|
||||
|
||||
If you choose to ignore this warning and discover a vulnerability
|
||||
that you can explain how to remediate, then please contact brian@megabyte.space
|
||||
for a bounty.
|
35
home/dot_ssh/system/run_onchanges_after_sshd.tmpl
Normal file
35
home/dot_ssh/system/run_onchanges_after_sshd.tmpl
Normal file
|
@ -0,0 +1,35 @@
|
|||
{{- if ne .host.distro.family "windows" }}
|
||||
#!/usr/bin/env bash
|
||||
|
||||
### Update /etc/ssh/sshd_config if environment is not WSL
|
||||
if [[ ! "$(grep Microsoft /proc/version)" ]]; then
|
||||
if [ -d /etc/ssh ]; then
|
||||
logg info 'Copying ~/.ssh/system/banner to /etc/ssh/banner'
|
||||
sudo cp -f "$HOME/.ssh/system/banner" /etc/ssh/banner
|
||||
|
||||
logg info 'Copying ~/.ssh/system/sshd_config to /etc/ssh/sshd_config'
|
||||
sudo cp -f "$HOME/.ssh/system/sshd_config" /etc/ssh/sshd_config
|
||||
|
||||
### Restart SSH server
|
||||
if [ -d /Applications ] && [ -d /System ]; then
|
||||
# macOS
|
||||
logg info 'Running `sudo launchctl stop com.openssh.sshd`'
|
||||
sudo launchctl stop com.openssh.sshd
|
||||
logg info 'Running `sudo launchctl start com.openssh.sshd`'
|
||||
sudo launchctl start com.openssh.sshd
|
||||
else
|
||||
# Linux
|
||||
logg info 'Enabling the `sshd` service'
|
||||
sudo systemctl enable sshd
|
||||
logg info 'Restarting the `sshd` service'
|
||||
|
||||
sudo service sshd restart
|
||||
fi
|
||||
else
|
||||
logg warn 'The /etc/ssh folder does not exist'
|
||||
fi
|
||||
else
|
||||
logg info 'Skipping sshd_config application since environment is WSL'
|
||||
fi
|
||||
|
||||
{{ end -}}
|
131
home/dot_ssh/system/sshd_config.tmpl
Normal file
131
home/dot_ssh/system/sshd_config.tmpl
Normal file
|
@ -0,0 +1,131 @@
|
|||
# TODO - Figure out difference between /private/etc/ssh and /etc/ssh on macOS
|
||||
|
||||
Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
Port {{ .host.ssh.port }}
|
||||
AddressFamily inet
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
### Host keys
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
### Ciphers and keyring
|
||||
#RekeyLimit default none
|
||||
|
||||
### Logging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
### Authentication
|
||||
LoginGraceTime 60
|
||||
{{ if ne .host.distro.family "windows" }}
|
||||
PermitRootLogin no
|
||||
{{ else }}
|
||||
DenyGroups Administrators
|
||||
{{ end }}
|
||||
AllowUsers {{ .host.ssh.allowUsers }}
|
||||
#StrictModes yes
|
||||
MaxAuthTries 3
|
||||
#MaxSessions 10
|
||||
|
||||
AuthenticationMethods publickey
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
{{ if ne .host.distro.family "windows" }}
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
{{ end }}
|
||||
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
UsePAM yes
|
||||
|
||||
{{ if ne .host.distro.family "windows" }}
|
||||
#AllowAgentForwarding yes
|
||||
AllowTcpForwarding {{ .host.ssh.allowTCPForwarding }}
|
||||
|
||||
#GatewayPorts no
|
||||
X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
ClientAliveInterval 60
|
||||
ClientAliveCountMax 3
|
||||
UseDNS no
|
||||
# Experiment with this
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# pass locale information
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# no default banner path
|
||||
Banner /etc/ssh/banner
|
||||
|
||||
# override default of no subsystems
|
||||
# TODO - Figure out how to detect the sftp path to place here. i.e. replicate the following Ansible logic
|
||||
# using Go templating:
|
||||
# - name: Find the path of the sftp-server executable
|
||||
# find:
|
||||
# paths: /usr
|
||||
# file_type: file
|
||||
# patterns: '*sftp-server'
|
||||
# recurse: true
|
||||
# register: sftp_executable
|
||||
#Subsystem sftp {/{ sftp_executable.files[0].path | default('internal-sftp') }/}
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
{{ end }}
|
15
software.yml
15
software.yml
|
@ -8275,6 +8275,21 @@ softwarePackages:
|
|||
- docker-ce
|
||||
- docker-ce-cli
|
||||
- docker-compose-plugin
|
||||
openssh-server:
|
||||
_service: sshd
|
||||
_when: '! "$(grep Microsoft /proc/version)"'
|
||||
apt: openssh-server
|
||||
dnf: openssh-server
|
||||
pacman: openssh
|
||||
fail2ban:
|
||||
_service: fail2ban
|
||||
# fail2ban cannot be installed on Qubes Fedora 36 without messing with the qubes-firewall since firewalld is required
|
||||
_when: '! command -v qubes-firewall > /dev/null && ! "$(grep Microsoft /proc/version)"'
|
||||
apt: fail2ban
|
||||
brew: fail2ban
|
||||
dnf: fail2ban
|
||||
pacman: fail2ban
|
||||
port: fail2ban
|
||||
boringtun:
|
||||
_bin: boringtun-cli
|
||||
_desc: BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
|
||||
|
|
Loading…
Reference in a new issue