punkfairie/install.fairie
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
install.fairie/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl
Brian Zalewski c572a01ba5 Removed markdown from script logic
2023-11-05 01:46:18 +00:00

98 lines
4.8 KiB
Cheetah
Raw Blame History

{{- if eq .host.distro.family "linux" -}}
#!/usr/bin/env bash
# @file Endlessh Configuration
# @brief Applies the Endlessh configuration and starts the service on Linux systems
# @description
# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
# SSH port. It is intended to break unsophisticated malware that targets SSH.
#
# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
#
# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
#
# ## Links
#
# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
# @file Endlessh Configuration
# @brief This script configures Endlessh by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if the `endlessh` application is available
# @description
# This script applies the Endlessh configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if endlessh is installed.
# Endlessh is and SSH Tarpit configured to listen for incoming connection on the given port and respond slowly with a random, endless SSH banner. To protect the real server,
# configure Endlessh to listen on the default SSH port (22), while the real server listens to a different port.
#
# ## Configuration Variables
#
# The following chart details the input variable(s) that are used to determine the configuration of the endlessh:
#
# | Variable | Description |
# |-----------------|------------------------------------------------------------|
# | `endlesshPort` | The port that endlessh listens to for incoming connections |
#
# ## Links
#
# * [Default Endlessh configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/endlessh/config.tmpl)
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
# endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Configures endlessh service
function configureEndlessh() {
### Update the service configuration file
logg info 'Updating endlessh service configuration file'
sudo sed -i 's/^.*#AmbientCapabilities=CAP_NET_BIND_SERVICE/AmbientCapabilities=CAP_NET_BIND_SERVICE/' /usr/lib/systemd/system/endlessh.service
sudo sed -i 's/^.*PrivateUsers=true/#PrivateUsers=true/' /usr/lib/systemd/system/endlessh.service
logg info 'Reloading systemd'
sudo systemctl daemon-reload
### Update capabilities of `endlessh`
logg info 'Updating capabilities of endlessh'
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
### Restart / enable Endlessh
logg info 'Enabling the endlessh service'
sudo systemctl enable endlessh
logg info 'Restarting the endlessh service'
sudo systemctl restart endlessh
}
### Update /etc/endlessh/config if environment is not WSL
if [[ ! "$(test -d proc && grep Microsoft /proc/version > /dev/null)" ]]; then
if command -v endlessh > /dev/null; then
if [ -d /etc/endlessh ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh/config'
sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh/config
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n "$CONFIGURE_EXIT_CODE" ]; then
logg error 'Configuring endlessh service failed' && exit 1
else
logg success 'Successfully configured endlessh service'
fi
elif [ -f /etc/endlessh.conf ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh.conf'
sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh.conf
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n "$CONFIGURE_EXIT_CODE" ]; then
logg error 'Configuring endlessh service failed' && exit 1
else
logg success 'Successfully configured endlessh service'
fi
else
logg warn 'Neither the /etc/endlessh folder nor the /etc/endlessh.conf file exist'
fi
else
logg info 'Skipping Endlessh configuration because the endlessh executable is not available in the PATH'
fi
else
logg info 'Skipping Endlessh configuration since environment is WSL'
fi
{{ end -}}
Reference in a new issue View git blame Copy permalink