nemo
/
recipe_gentoo
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
recipe_gentoo/recipes/recipe_check_ssh_config.sh

106 lines
4.0 KiB
Bash
Raw Blame History

echo "-------------------------------------------------"
echo -e "-------------- ${BLUE}CHECK SSH CONFIG${NC} -----------------"
echo -e "-------------------------------------------------\n"
# Check /etc/ssh/sshd_config config file
echo -e "Check ${BLUE}SSH${NC} config file /etc/ssh/sshd_config"
# Check if PasswordAuthentication is enable (success if return code = 1)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*yes" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is enabled
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is disabled
else
# Check if PasswordAuthentication is enable (success if return code = 0)
grep -q "^[[:space:]]*PasswordAuthentication[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PasswordAuthentication is not set to 'non'
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PasswordAuthentication is not set to 'no', set 'PasswordAuthentication no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PasswordAuthentication : check KO${NC}\n"
# PasswordAuthentication is set to 'non'
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PasswordAuthentication : check OK${NC}\n"
fi
fi
# Check if PermitRootLogin is enable (success if return code = 1)
grep -q -e "^[[:space:]]*PermitRootLogin[[:space:]]*yes" -e "^[[:space:]]*PermitRootLogin[[:space:]]*prohibit-password" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is enabled (with password or pubkey)
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is enabled, disable it ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
# Check if PermitRootLogin is set to 'no' (success if return code = 0)
grep -q "^[[:space:]]*PermitRootLogin[[:space:]]*no" /etc/ssh/sshd_config
# Return Code
RC=$?
# PermitRootLogin is set to 'no' (with password or pubkey)
if [ $RC -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} PermitRootLogin is not set to 'no', set 'PermitRootLogin no' ;"
echo -e "${RED}Service SSH has BAD CONFIGURATION for PermitRootLogin : check KO${NC}\n"
# Root login is disabled
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for PermitRootLogin : check OK${NC}\n"
fi
fi
# Check if SSHD only listen on Admin LAN (success if return code = 1)
# WARNING, file need to be well intented
SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN=$(grep "^ListenAddress" /etc/ssh/sshd_config | grep -v -e "^ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" -e "^ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}")
# Return Code
RC=$?
# ListenAddress other than the LAN Admin
if [ $RC -eq 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' ;"
echo -e "${RED}Service SSH has ListenAddress not in Admin LAN '$SSH_LISTEN_ADDRESS_NOT_IN_ADMIN_LAN' : check KO${NC}\n"
# No ListenAddress other than the LAN Admin
else
# Check if ListenAddress IPv4 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV4_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code a
RCa=$?
# Check if ListenAddress IPv6 LAN Admin is configured (success if return code = 0)
grep -q "^[[:space:]]*ListenAddress[[:space:]]*${IPV6_ADMIN_NETWORK}" /etc/ssh/sshd_config
# Return Code b
RCb=$?
# ListenAddress for Admin LAN are NOT configured
if [ $RCa -ne 0 ] || [ $RCb -ne 0 ]
then
SSH_CONFIG_CHECK_FAILED="${SSH_CONFIG_CHECK_FAILED} Config has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN ;"
echo -e "${RED}Service SSH has NOT ListenAddress (IPv4 AND IPv6) for Admin LAN : check KO${NC}\n"
# ListenAddress for Admin LAN are configured
else
echo -e "${GREEN}Service SSH has GOOD CONFIGURATION for ListenAddress : check OK${NC}\n"
fi
fi
Reference in New Issue View Git Blame Copy Permalink