From 07df08daa7ac60345ca2da0e5cc7f77fd3182dd5 Mon Sep 17 00:00:00 2001 From: deadcxap <36386824+deadcxap@users.noreply.github.com> Date: Sun, 24 Aug 2025 09:47:30 +0300 Subject: [PATCH 1/4] =?UTF-8?q?=D0=98=D0=B7=D0=BC=D0=B5=D0=BD=D0=B5=D0=BD?= =?UTF-8?q?=D0=B0=20=D0=BB=D0=BE=D0=B3=D0=B8=D0=BA=D0=B0=20=D0=B4=D0=BE?= =?UTF-8?q?=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D1=8F=20SSH=20drop-i?= =?UTF-8?q?n?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup.sh b/setup.sh index 1868453..3fb5b03 100644 --- a/setup.sh +++ b/setup.sh @@ -136,7 +136,7 @@ configure_ssh() { base=\$(basename \"\$f\") case \"\$base\" in [0-9][0-9]-*.conf) - [[ \$base == 99-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\" + [[ \$base == 00-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\" ;; *) mv \"\$f\" \"\${f%.conf}.disabled\" @@ -144,14 +144,14 @@ configure_ssh() { esac done shopt -u nullglob - max=\$(find \"\$dir\" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\\([0-9][0-9]\\)-.*#\\1#p' | sort -n | tail -1) - if [ -z \"\$max\" ]; then - next=10 + min=\$(find "\$dir" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\([0-9][0-9]\)-.*#\1#p' | sort -n | head -1) + if [ -z "\$min" ]; then + next=0 else - next=\$((10#\$max + 10)) - [ \"\$next\" -gt 99 ] && next=99 + next=\$((10#\$min - 10)) + [ "\$next" -lt 0 ] && next=0 fi - newfile=\$(printf '%s/%02d-hardening.conf' \"\$dir\" \"\$next\") + newfile=\$(printf '%s/%02d-hardening.conf' "\$dir" "\$next") printf \"%s\n\" 'PasswordAuthentication no' 'PermitRootLogin no' 'KbdInteractiveAuthentication no' > \"\$newfile\" chown root:root \"\$newfile\" chmod 0644 \"\$newfile\" From eaafc160ab07b57a57f37b150b717f0c52a0172e Mon Sep 17 00:00:00 2001 From: deadcxap <36386824+deadcxap@users.noreply.github.com> Date: Sun, 24 Aug 2025 10:15:06 +0300 Subject: [PATCH 2/4] =?UTF-8?q?=D0=A3=D0=BF=D1=80=D0=BE=D1=89=D1=91=D0=BD?= =?UTF-8?q?=D0=BD=D0=B0=D1=8F=20=D0=BE=D0=B1=D1=80=D0=B0=D0=B1=D0=BE=D1=82?= =?UTF-8?q?=D0=BA=D0=B0=20drop-in=20=D0=B8=20=D0=BA=D0=BE=D1=80=D1=80?= =?UTF-8?q?=D0=B5=D0=BA=D1=82=D0=BD=D0=BE=D0=B5=20=D0=B4=D0=BE=D0=B1=D0=B0?= =?UTF-8?q?=D0=B2=D0=BB=D0=B5=D0=BD=D0=B8=D0=B5=20Include?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup.sh | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/setup.sh b/setup.sh index 3fb5b03..6427078 100644 --- a/setup.sh +++ b/setup.sh @@ -126,32 +126,25 @@ configure_ssh() { printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\" chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\" chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\" - if ! grep -qE \"^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf\" /etc/ssh/sshd_config; then - echo \"Include /etc/ssh/sshd_config.d/*.conf\" >> /etc/ssh/sshd_config + if grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf' /etc/ssh/sshd_config; then + sed -i '/^[[:space:]]*Include[[:space:]]*\/etc\/ssh\/sshd_config.d\/\*.conf/d' /etc/ssh/sshd_config + echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config + else + sed -i '1i Include /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config fi install -d -m 755 /etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d shopt -s nullglob for f in \"\$dir\"/*.conf; do base=\$(basename \"\$f\") - case \"\$base\" in - [0-9][0-9]-*.conf) - [[ \$base == 00-* ]] && mv \"\$f\" \"\${f%.conf}.disabled\" - ;; - *) - mv \"\$f\" \"\${f%.conf}.disabled\" - ;; - esac + if [[ \$base == 00-* ]]; then + mv \"\$f\" \"\$dir/01-\$base\" + elif [[ \$base != [0-9][0-9]-* ]]; then + mv \"\$f\" \"\${f%.conf}.disabled\" + fi done shopt -u nullglob - min=\$(find "\$dir" -maxdepth 1 -type f -name '[0-9][0-9]-*.conf' | sed -n 's#.*/\([0-9][0-9]\)-.*#\1#p' | sort -n | head -1) - if [ -z "\$min" ]; then - next=0 - else - next=\$((10#\$min - 10)) - [ "\$next" -lt 0 ] && next=0 - fi - newfile=\$(printf '%s/%02d-hardening.conf' "\$dir" "\$next") + newfile=\"\$dir/00-hardening.conf\" printf \"%s\n\" 'PasswordAuthentication no' 'PermitRootLogin no' 'KbdInteractiveAuthentication no' > \"\$newfile\" chown root:root \"\$newfile\" chmod 0644 \"\$newfile\" From 7f75d90a1ffbc02784323c0536337724c786161e Mon Sep 17 00:00:00 2001 From: deadcxap <36386824+deadcxap@users.noreply.github.com> Date: Sun, 24 Aug 2025 10:15:11 +0300 Subject: [PATCH 3/4] =?UTF-8?q?=D0=9D=D0=B5=20=D1=82=D1=80=D0=BE=D0=B3?= =?UTF-8?q?=D0=B0=D0=B5=D0=BC=20=D1=81=D1=83=D1=89=D0=B5=D1=81=D1=82=D0=B2?= =?UTF-8?q?=D1=83=D1=8E=D1=89=D0=B8=D0=B9=20Include?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/setup.sh b/setup.sh index 6427078..dd052e8 100644 --- a/setup.sh +++ b/setup.sh @@ -126,11 +126,8 @@ configure_ssh() { printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\" chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\" chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\" - if grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf' /etc/ssh/sshd_config; then - sed -i '/^[[:space:]]*Include[[:space:]]*\/etc\/ssh\/sshd_config.d\/\*.conf/d' /etc/ssh/sshd_config + if ! grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf' /etc/ssh/sshd_config; then echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config - else - sed -i '1i Include /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config fi install -d -m 755 /etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d From fc674a355b533c448290ffb4ace7e9160be63715 Mon Sep 17 00:00:00 2001 From: deadcxap <36386824+deadcxap@users.noreply.github.com> Date: Sun, 24 Aug 2025 10:15:16 +0300 Subject: [PATCH 4/4] =?UTF-8?q?=D0=9A=D0=BE=D1=80=D1=80=D0=B5=D0=BA=D1=82?= =?UTF-8?q?=D0=BD=D0=BE=D0=B5=20=D0=B4=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D0=B5=20Include=20=D0=B2=20sshd=5Fconfig?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup.sh b/setup.sh index dd052e8..e1b4f36 100644 --- a/setup.sh +++ b/setup.sh @@ -126,8 +126,8 @@ configure_ssh() { printf \"%s\n\" \"$SSH_KEY\" > \"/home/$USERNAME/.ssh/authorized_keys\" chmod 600 \"/home/$USERNAME/.ssh/authorized_keys\" chown -R \"$USERNAME\":\"$USERNAME\" \"/home/$USERNAME/.ssh\" - if ! grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\\*.conf' /etc/ssh/sshd_config; then - echo 'Include /etc/ssh/sshd_config.d/*.conf' >> /etc/ssh/sshd_config + if ! grep -qE '^[[:space:]]*Include[[:space:]]+/etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config; then + sed -i '1iInclude /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config fi install -d -m 755 /etc/ssh/sshd_config.d dir=/etc/ssh/sshd_config.d