echo "-------------------------------------------------" echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------" echo -e "-------------------------------------------------\n" # Check /etc/ssh/sshd_config config file echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config" # Check if PasswordAuthentication is enable (success if return code = 1) grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config # Return Code RC=$? # PasswordAuthentication is enabled if [ $RC -eq 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;" echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" # PasswordAuthentication is disabled else # Check if PasswordAuthentication is enable (success if return code = 0) grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config # Return Code RC=$? # PasswordAuthentication is not set to 'non' if [ $RC -ne 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;" echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n" # PasswordAuthentication is set to 'non' else echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n" fi fi # Check if PermitRootLogin is enable (success if return code = 1) grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config # Return Code RC=$? # PermitRootLogin is enabled (with password or pubkey) if [ $RC -eq 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;" echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" # Root login is disabled else # Check if PermitRootLogin is set to 'no' (success if return code = 0) grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config # Return Code RC=$? # PermitRootLogin is set to 'no' (with password or pubkey) if [ $RC -ne 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;" echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n" # Root login is disabled else echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n" fi fi # Check if SSHD only listen on Admin LAN (success if return code = 1) # WARNING, file need to be well intented SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}") # Return Code RC=$? # ListenAddress other than the LAN Admin if [ $RC -eq 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;" echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n" # No ListenAddress other than the LAN Admin else # Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0) grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config # Return Code a RCa=$? # Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0) grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config # Return Code b RCb=$? # ListenAddress for Admin LAN are NOT configured if [ $RCa -ne 0 ] || [ $RCb -ne 0 ] then SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;" echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n" # ListenAddress for Admin LAN are configured else echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n" fi fi