From 410a57c2d9ac228311cb638facad674c0ca9d793 Mon Sep 17 00:00:00 2001 From: Ben Hays Date: Sat, 25 Nov 2023 15:39:11 -0500 Subject: [PATCH] Add SSH/PVE Configuration Playbook --- .gitignore | 2 + Ansible/inventory.ini | 13 ++++++ Ansible/openssh.yml | 16 +++++++ Ansible/proxmox.yml | 27 ++++++++++++ Bash/compliance-list.txt | 5 +++ Bash/ssl-compliance.sh | 24 +++++++++++ Configs/sshd_config | 42 +++++++++++++++++++ Find-RDP.ps1 => PowerShell/Find-RDP.ps1 | 0 .../Get-Programs.ps1 | 0 TODO.md | 2 - 10 files changed, 129 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 Ansible/inventory.ini create mode 100644 Ansible/openssh.yml create mode 100644 Ansible/proxmox.yml create mode 100644 Bash/compliance-list.txt create mode 100644 Bash/ssl-compliance.sh create mode 100644 Configs/sshd_config rename Find-RDP.ps1 => PowerShell/Find-RDP.ps1 (100%) rename Get-Programs.ps1 => PowerShell/Get-Programs.ps1 (100%) delete mode 100644 TODO.md diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0245f2c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.vscode/ +*.log \ No newline at end of file diff --git a/Ansible/inventory.ini b/Ansible/inventory.ini new file mode 100644 index 0000000..18afda1 --- /dev/null +++ b/Ansible/inventory.ini @@ -0,0 +1,13 @@ +[proxmox] +10.0.1.0 + +[windows] +10.0.1.10 +10.0.1.11 + +[linux] +10.0.1.2 +10.0.1.12 +10.0.1.14 +10.0.1.15 +10.0.1.16 \ No newline at end of file diff --git a/Ansible/openssh.yml b/Ansible/openssh.yml new file mode 100644 index 0000000..8e876da --- /dev/null +++ b/Ansible/openssh.yml @@ -0,0 +1,16 @@ +- hosts: linux + remote_user: root + tasks: + - name: Update/install OpenSSH + apt: + name: openssh-server + state: latest + update_cache: yes + - name: Copy Secure Configuration File + copy: + src: ../Configs/sshd_config + dest: /etc/ssh/sshd_config + - name: Restart OpenSSH + systemd_service: + name: sshd + state: restarted diff --git a/Ansible/proxmox.yml b/Ansible/proxmox.yml new file mode 100644 index 0000000..1c42128 --- /dev/null +++ b/Ansible/proxmox.yml @@ -0,0 +1,27 @@ +- hosts: proxmox + remote_user: root + tasks: + - name: Adding ansible SSH Pubkey as authorized + copy: + src: ~/.ssh/authorized_keys + dest: /root/.ssh/authorized_keys + + - name: adding PVE-no-subscription repo + blockinfile: + path: /etc/apt/sources.list + insertbefore: "^# security" + block: | + # PVE pve-no-subscription repository provided by proxmox.com, + # NOT recommended for production use + deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription + + - name: upgrading system + apt: + upgrade: full + update_cache: yes + cache_valid_time: 7200 + + - name: installing sudo + apt: + name: sudo + state: present \ No newline at end of file diff --git a/Bash/compliance-list.txt b/Bash/compliance-list.txt new file mode 100644 index 0000000..20f1666 --- /dev/null +++ b/Bash/compliance-list.txt @@ -0,0 +1,5 @@ +10.0.1.2 +10.0.1.12 +10.0.1.14 +10.0.1.15 +10.0.1.16 \ No newline at end of file diff --git a/Bash/ssl-compliance.sh b/Bash/ssl-compliance.sh new file mode 100644 index 0000000..dfe7a4a --- /dev/null +++ b/Bash/ssl-compliance.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +if [ "$#" -eq 0 ]; then + echo "Usage: $0 (--install-deps) " + exit 1 +fi + +if [ "$1" = "--install-deps" ]; then + echo "[+] Installing dependencies" + pip3 install --upgrade pip setuptools wheel --break-system-packages + pip3 install --upgrade sslyze --break-system-packages + filename="$2" +else + filename="$1" +fi + +if [ ! -f "$filename" ]; then + echo "Error: File '$filename' not found." + exit 1 +fi + +while IFS= read -r line; do + python3 -m sslyze "$line" +done < "$filename" diff --git a/Configs/sshd_config b/Configs/sshd_config new file mode 100644 index 0000000..8a076f2 --- /dev/null +++ b/Configs/sshd_config @@ -0,0 +1,42 @@ +# Based on https://infosec.mozilla.org/guidelines/openssh secure configuration guide + +Include /etc/ssh/sshd_config.d/*.conf + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +LogLevel VERBOSE + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +MaxAuthTries 5 +MaxSessions 8 + +PubkeyAuthentication yes + +PasswordAuthentication no +PermitEmptyPasswords no + +KbdInteractiveAuthentication no + +KerberosAuthentication no +GSSAPIAuthentication no + +UsePAM yes + +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no +PrintMotd no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/Find-RDP.ps1 b/PowerShell/Find-RDP.ps1 similarity index 100% rename from Find-RDP.ps1 rename to PowerShell/Find-RDP.ps1 diff --git a/Get-Programs.ps1 b/PowerShell/Get-Programs.ps1 similarity index 100% rename from Get-Programs.ps1 rename to PowerShell/Get-Programs.ps1 diff --git a/TODO.md b/TODO.md deleted file mode 100644 index b8602d3..0000000 --- a/TODO.md +++ /dev/null @@ -1,2 +0,0 @@ -* Add Winget/Choco package support for Get-Packages.ps1 -* More backup scripts \ No newline at end of file