This repository was archived by the owner on Jul 9, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathSSH.java
More file actions
172 lines (149 loc) · 8.6 KB
/
Copy pathSSH.java
File metadata and controls
172 lines (149 loc) · 8.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
package profile;
import java.util.Vector;
import core.iface.IUnit;
import core.model.NetworkModel;
import core.model.ServerModel;
import core.profile.AStructuredProfile;
import core.unit.SimpleUnit;
import core.unit.fs.DirOwnUnit;
import core.unit.fs.DirPermsUnit;
import core.unit.fs.DirUnit;
import core.unit.fs.FileOwnUnit;
import core.unit.fs.FilePermsUnit;
import core.unit.fs.FileUnit;
import core.unit.pkg.InstalledUnit;
import core.unit.pkg.RunningUnit;
public class SSH extends AStructuredProfile {
public SSH(ServerModel me, NetworkModel networkModel) {
super("sshd", me, networkModel);
}
protected Vector<IUnit> getInstalled() {
Vector<IUnit> units = new Vector<IUnit>();
units.addElement(new InstalledUnit("sshd", "openssh-server"));
return units;
}
protected Vector<IUnit> getPersistentConfig() {
Vector<IUnit> units = new Vector<IUnit>();
String sshdconf = "";
sshdconf += "Port " + networkModel.getData().getSSHPort(me.getLabel()) + "\n";
//sshdconf += (((ServerModel)me).isRouter()) ? "ListenAddress " + networkModel.getData().getIP().getHostAddress() + "\n" : "";
sshdconf += "Protocol 2\n";
sshdconf += "HostKey /etc/ssh/ssh_host_rsa_key\n";
sshdconf += "HostKey /etc/ssh/ssh_host_ed25519_key\n";
sshdconf += "UsePrivilegeSeparation yes\n";
sshdconf += "KeyRegenerationInterval 3600\n";
sshdconf += "ServerKeyBits 1024\n";
sshdconf += "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n";
sshdconf += "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
sshdconf += "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
sshdconf += "SyslogFacility AUTH\n";
sshdconf += "LogLevel INFO\n";
sshdconf += "LoginGraceTime 120\n";
sshdconf += "PermitRootLogin no\n";
sshdconf += "StrictModes yes\n";
sshdconf += "RSAAuthentication yes\n";
sshdconf += "PubkeyAuthentication yes\n";
sshdconf += "AuthorizedKeysFile %h/.ssh/authorized_keys\n";
sshdconf += "IgnoreRhosts yes\n";
sshdconf += "RhostsRSAAuthentication no\n";
sshdconf += "HostbasedAuthentication no\n";
sshdconf += "PermitEmptyPasswords no\n";
sshdconf += "PasswordAuthentication no\n";
sshdconf += "ChallengeResponseAuthentication no\n";
sshdconf += "X11Forwarding yes\n";
sshdconf += "X11DisplayOffset 10\n";
sshdconf += "PrintMotd no\n"; //This is handled by PAM anyway
sshdconf += "PrintLastLog yes\n";
sshdconf += "TCPKeepAlive yes\n";
sshdconf += "AcceptEnv LANG LC_*\n";
sshdconf += "Subsystem sftp /usr/lib/openssh/sftp-server\n";
sshdconf += "UsePAM yes\n";
sshdconf += "Banner /etc/ssh/sshd_banner\n";
sshdconf += "MaxSessions 1";
units.addElement(((ServerModel)me).getConfigsModel().addConfigFile("sshd", "proceed", sshdconf, "/etc/ssh/sshd_config"));
//This banner is taken from https://www.dedicatedukhosting.com/hosting/adding-ssh-welcome-and-warning-messages/
String banner = "";
banner += "************************NOTICE***********************\n" +
"This system is optimised and configured with security and logging as a\n" +
"priority. All user activity is logged and streamed offsite. Individuals\n" +
"or groups using this system in excess of their authorisation will have\n" +
"all access terminated. Illegal access of this system or attempts to\n" +
"limit or restrict access to authorised users (such as DoS attacks) will\n" +
"be reported to national and international law enforcement bodies. We\n" +
"will prosecute to the fullest extent of the law regardless of the funds\n" +
"required. Anyone using this system consents to these terms and the laws\n" +
"of the United Kingdom and United States respectively.\n" +
"************************NOTICE***********************";
units.addElement(((ServerModel)me).getConfigsModel().addConfigFile("sshd_banner", "proceed", banner, "/etc/ssh/banner"));
units.addElement(new DirUnit("motd", "proceed", "/etc/update-motd.d/"));
// Elements of this motd banner are taken from https://nickcharlton.net/posts/debian-ubuntu-dynamic-motd.html
// (c) 2009-2010 Canonical Ltd
// (c) 2013 Nick Charlton
// Released under GPL
String motd = "";
motd += "#!/bin/bash\n";
motd += "echo \\\"This machine is a Thornsec configured machine.\\\"\n";
motd += "echo \\\"_Logging in to configure this machine manually is highly discouraged!_\\\"\n";
motd += "echo \\\"Please only continue if you know what you're doing!\\\"\n";
motd += "echo\n";
motd += "date=\\`date\\`\n";
motd += "load=\\`cat /proc/loadavg | awk '{print \\$1}'\\`\n";
motd += "root_usage=\\`df -h / | awk '/\\// {print \\$(NF-1)}'\\`\n";
motd += "memory_usage=\\`free -m | awk '/Mem/ { printf(\\\"%3.1f%%\\\", \\$3/\\$2*100) }'\\`\n";
motd += "swap_usage=\\`free -m | awk '/Swap/ { printf(\\\"%3.1f%%\\\", \\$3/\\$2*100) }'\\`\n";
motd += "users=\\`users | wc -w\\`\n";
motd += "echo \\\"System information as of: \\${date}\\\"\n";
motd += "echo\n";
motd += "printf \\\"System load:\\t%s\\tMemory usage:\\t%s\\n\\\" \\${load} \\${memory_usage}\n";
motd += "printf \\\"Usage on /:\\t%s\\tSwap usage:\\t%s\\n\\\" \\${root_usage} \\${swap_usage}\n";
motd += "printf \\\"Currently logged in users:\\t%s\\n\\\" \\${users}\n";
motd += "echo\n";
motd += "echo \\\"HERE BE DRAGONS.\\\"\n";
motd += "echo";
units.addElement(((ServerModel)me).getConfigsModel().addConfigFile("sshd_motd", "proceed", motd, "/etc/update-motd.d/00-motd"));
units.addElement(new FilePermsUnit("sshd_motd_perms", "sshd_motd_config", "/etc/update-motd.d/00-motd", "755"));
units.addElement(new SimpleUnit("sshd_rsa", "sshd_config",
"echo -e \"y\\n\" | sudo ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N \"\" -t rsa -b 4096",
"sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key | awk '{print $1}'", "4096", "pass",
"Couldn't generate you a new SSH key. This isn't too bad, but try re-running the script to get it to work."));
// Secure sshd as per
// https://stribika.github.io/2015/01/04/secure-secure-shell.html
units.addElement(new SimpleUnit("sshd_ed25519", "sshd_config",
"echo -e \"y\\n\" | sudo ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N \"\" -t ed25519",
"sudo ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key | awk '{print $1}'", "256", "pass",
"Couldn't generate you a strong ed25519 SSH key. This isn't too bad, but try re-running the script to get it to work."));
units.addElement(new SimpleUnit("sshd_moduli_exists", "sshd_config",
"sudo ssh-keygen -G /etc/ssh/moduli.all -b 4096;"
+ "sudo ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all;"
+ "sudo mv /etc/ssh/moduli.safe /etc/ssh/moduli;" + "sudo rm /etc/ssh/moduli.all",
"cat /etc/ssh/moduli", "", "fail",
"Couldn't generate new moduli for your SSH daemon. This is undesirable, please try re-running the script."));
units.addElement(new SimpleUnit("sshd_moduli_not_weak", "sshd_moduli_exists",
"awk '$5 > 2000' /etc/ssh/moduli > /tmp/moduli;" + "sudo mv /tmp/moduli /etc/ssh/moduli;",
"awk '$5 <= 2000' /etc/ssh/moduli", "", "pass",
"Couldn't remove weak moduli from your SSH daemon. This is undesirable, as it weakens your security. Please re-run the script to try and get this to work."));
for (String admin : networkModel.getData().getAdmins(me.getLabel())) {
String sshDir = "/home/" + admin + "/.ssh";
String keys = sshDir + "/authorized_keys";
//Create the .ssh dir for the user, with the correct permissions
units.addElement(new DirUnit("ssh_dir_" + admin, "sshd_config", sshDir));
units.addElement(new DirOwnUnit("ssh_dir_" + admin, "ssh_dir_" + admin + "_created", sshDir, admin));
units.addElement(new DirPermsUnit("ssh_dir_" + admin, "ssh_dir_" + admin + "_chowned", sshDir, "755"));
//Create the authorized_keys file, with root permissions (we don't want users to be able to add arbitrary keys)
units.addElement(new FileUnit("ssh_key_" + admin, "ssh_dir_" + admin + "_created", networkModel.getData().getUserSSHKey(admin), keys));
units.addElement(new FileOwnUnit("ssh_key_" + admin, "ssh_key_" + admin, keys, "root"));
units.addElement(new FilePermsUnit("ssh_key_" + admin, "ssh_key_" + admin + "_chowned", keys, "644"));
}
return units;
}
public Vector<IUnit> getNetworking() {
Vector<IUnit> units = new Vector<IUnit>();
me.addRequiredListen(networkModel.getData().getSSHPort(me.getLabel()));
return units;
}
protected Vector<IUnit> getLiveConfig() {
Vector<IUnit> units = new Vector<IUnit>();
units.addElement(new RunningUnit("sshd", "sshd", "sshd"));
return units;
}
}