diff --git a/home/.chezmoi.yaml.tmpl b/home/.chezmoi.yaml.tmpl index d9201d97..6d688309 100644 --- a/home/.chezmoi.yaml.tmpl +++ b/home/.chezmoi.yaml.tmpl @@ -137,6 +137,10 @@ data: dns: primary: 10.0.0.1#dns.megabyte.space secondary: 1.1.1.1#cloudflare-dns.com + ssh: + allowTCPForwarding: no + allowUsers: {{ output "echo" "$USER" }} + port: 2214 vpn: excludedSubnets: - 10.0.0.0/24 diff --git a/home/.chezmoidata.yaml b/home/.chezmoidata.yaml index 0905e472..3cad05c0 100644 --- a/home/.chezmoidata.yaml +++ b/home/.chezmoidata.yaml @@ -19,6 +19,7 @@ colors: color14: '#EB71AD' color15: '#24E5FF' color16: '#FFFFFF' +macosRemoteLogin: 'on' themeparkTheme: aquamarine config: gpg: https://raw.githubusercontent.com/drduh/config/master/gpg.conf @@ -638,6 +639,8 @@ softwareGroups: - ruby SSH: &SSH - assh + - fail2ban + - openssh-server - skm - ssh-vault - sshpass diff --git a/home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl b/home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl index 52646792..c4b3cf2e 100644 --- a/home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl +++ b/home/.chezmoiscripts/darwin/run_onchange_after_10-configure-macos.tmpl @@ -12,6 +12,9 @@ sudo echo "Sudo access granted." # Log commands set +x +# Enable SSH access +sudo systemsetup -setremotelogin {{ .macosRemoteLogin }} + # Close any open System Preferences panes, to prevent them from overriding # settings we’re about to change osascript -e 'tell application "System Preferences" to quit' diff --git a/home/dot_ssh/fail2ban/jail.local.tmpl b/home/dot_ssh/fail2ban/jail.local.tmpl new file mode 100644 index 00000000..ce245273 --- /dev/null +++ b/home/dot_ssh/fail2ban/jail.local.tmpl @@ -0,0 +1,4 @@ +[sshd] +enabled = true +port = {{ .host.ssh.port }} +filter = sshd diff --git a/home/dot_ssh/system/banner b/home/dot_ssh/system/banner new file mode 100644 index 00000000..87acf198 --- /dev/null +++ b/home/dot_ssh/system/banner @@ -0,0 +1,5 @@ +WARNING! Authorized use only. Your IP address has been logged. + +If you choose to ignore this warning and discover a vulnerability +that you can explain how to remediate, then please contact brian@megabyte.space +for a bounty. diff --git a/home/dot_ssh/system/run_onchanges_after_sshd.tmpl b/home/dot_ssh/system/run_onchanges_after_sshd.tmpl new file mode 100644 index 00000000..eefa3927 --- /dev/null +++ b/home/dot_ssh/system/run_onchanges_after_sshd.tmpl @@ -0,0 +1,35 @@ +{{- if ne .host.distro.family "windows" }} +#!/usr/bin/env bash + +### Update /etc/ssh/sshd_config if environment is not WSL +if [[ ! "$(grep Microsoft /proc/version)" ]]; then + if [ -d /etc/ssh ]; then + logg info 'Copying ~/.ssh/system/banner to /etc/ssh/banner' + sudo cp -f "$HOME/.ssh/system/banner" /etc/ssh/banner + + logg info 'Copying ~/.ssh/system/sshd_config to /etc/ssh/sshd_config' + sudo cp -f "$HOME/.ssh/system/sshd_config" /etc/ssh/sshd_config + + ### Restart SSH server + if [ -d /Applications ] && [ -d /System ]; then + # macOS + logg info 'Running `sudo launchctl stop com.openssh.sshd`' + sudo launchctl stop com.openssh.sshd + logg info 'Running `sudo launchctl start com.openssh.sshd`' + sudo launchctl start com.openssh.sshd + else + # Linux + logg info 'Enabling the `sshd` service' + sudo systemctl enable sshd + logg info 'Restarting the `sshd` service' + + sudo service sshd restart + fi + else + logg warn 'The /etc/ssh folder does not exist' + fi +else + logg info 'Skipping sshd_config application since environment is WSL' +fi + +{{ end -}} diff --git a/home/dot_ssh/system/sshd_config.tmpl b/home/dot_ssh/system/sshd_config.tmpl new file mode 100644 index 00000000..ca841bc6 --- /dev/null +++ b/home/dot_ssh/system/sshd_config.tmpl @@ -0,0 +1,131 @@ +# TODO - Figure out difference between /private/etc/ssh and /etc/ssh on macOS + +Include /etc/ssh/sshd_config.d/*.conf + +Port {{ .host.ssh.port }} +AddressFamily inet +#ListenAddress 0.0.0.0 +#ListenAddress :: + +### Host keys +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +### Ciphers and keyring +#RekeyLimit default none + +### Logging +#SyslogFacility AUTH +#LogLevel INFO + +### Authentication +LoginGraceTime 60 +{{ if ne .host.distro.family "windows" }} +PermitRootLogin no +{{ else }} +DenyGroups Administrators +{{ end }} +AllowUsers {{ .host.ssh.allowUsers }} +#StrictModes yes +MaxAuthTries 3 +#MaxSessions 10 + +AuthenticationMethods publickey + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +{{ if ne .host.distro.family "windows" }} +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +{{ end }} + +# GSSAPI options +GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +{{ if ne .host.distro.family "windows" }} +#AllowAgentForwarding yes +AllowTcpForwarding {{ .host.ssh.allowTCPForwarding }} + +#GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +ClientAliveInterval 60 +ClientAliveCountMax 3 +UseDNS no +# Experiment with this +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# pass locale information +AcceptEnv LANG LC_* + +# no default banner path +Banner /etc/ssh/banner + +# override default of no subsystems +# TODO - Figure out how to detect the sftp path to place here. i.e. replicate the following Ansible logic +# using Go templating: +# - name: Find the path of the sftp-server executable +# find: +# paths: /usr +# file_type: file +# patterns: '*sftp-server' +# recurse: true +# register: sftp_executable +#Subsystem sftp {/{ sftp_executable.files[0].path | default('internal-sftp') }/} + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server +{{ end }} diff --git a/software.yml b/software.yml index 51ae637b..bb5216f5 100644 --- a/software.yml +++ b/software.yml @@ -8275,6 +8275,21 @@ softwarePackages: - docker-ce - docker-ce-cli - docker-compose-plugin + openssh-server: + _service: sshd + _when: '! "$(grep Microsoft /proc/version)"' + apt: openssh-server + dnf: openssh-server + pacman: openssh + fail2ban: + _service: fail2ban + # fail2ban cannot be installed on Qubes Fedora 36 without messing with the qubes-firewall since firewalld is required + _when: '! command -v qubes-firewall > /dev/null && ! "$(grep Microsoft /proc/version)"' + apt: fail2ban + brew: fail2ban + dnf: fail2ban + pacman: fail2ban + port: fail2ban boringtun: _bin: boringtun-cli _desc: BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.