Adjust SSH setup defaults and update clone instructions
This commit is contained in:
root
@@ -4,9 +4,9 @@ Standardisierter Installationsprozess fuer neue Ubuntu-LXC-Container.
|
|||||||
|
|
||||||
Installiert und **direkt vorkonfiguriert**:
|
Installiert und **direkt vorkonfiguriert**:
|
||||||
- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action
|
- `fail2ban`: SSH/SSHD-DDoS + Recidive-Jail, UFW-Ban-Action
|
||||||
- `ufw`: default deny incoming, allow outgoing, SSH-Rate-Limit, 80/443 erlaubt
|
- `ufw`: default deny incoming, allow outgoing, SSH freigegeben, 80/443 erlaubt
|
||||||
- `unattended-upgrades`: taegliche Security-Updates aktiv
|
- `unattended-upgrades`: taegliche Security-Updates aktiv
|
||||||
- `openssh-server`: Basishardening via `sshd_config.d`
|
- `openssh-server`: SSH automatisch installiert und konfiguriert
|
||||||
- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien
|
- `auditd`: grundlegende Audit-Regeln fuer sensible Dateien
|
||||||
- `sysctl`: Kernel/Netzwerk-Hardening-Basis
|
- `sysctl`: Kernel/Netzwerk-Hardening-Basis
|
||||||
- `nodejs`, `npm`, `@openai/codex`
|
- `nodejs`, `npm`, `@openai/codex`
|
||||||
@@ -14,7 +14,7 @@ Installiert und **direkt vorkonfiguriert**:
|
|||||||
## Standardprozess nach Download
|
## Standardprozess nach Download
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
git clone https://gitea.kanu1.duckdns.org/Kanu/Sicherheit.git
|
git clone http://gitea.kanu1.duckdns.org:3000/Kanu/Sicherheit.git
|
||||||
cd Sicherheit
|
cd Sicherheit
|
||||||
chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh
|
chmod +x bin/sicherheit-install scripts/bootstrap_ubuntu_lxc_security.sh
|
||||||
./bin/sicherheit-install
|
./bin/sicherheit-install
|
||||||
@@ -27,6 +27,19 @@ sudo ln -sf "$(pwd)/bin/sicherheit-install" /usr/local/bin/sicherheit-install
|
|||||||
sudo sicherheit-install
|
sudo sicherheit-install
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## SSH Linux Einrichten (automatisch im Skript enthalten)
|
||||||
|
|
||||||
|
Das Skript fuehrt diese Punkte automatisch aus:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt update
|
||||||
|
sudo apt install -y openssh-server
|
||||||
|
sudo ufw allow ssh
|
||||||
|
sudo ufw status
|
||||||
|
# PermitRootLogin yes wird gesetzt
|
||||||
|
sudo systemctl restart ssh
|
||||||
|
```
|
||||||
|
|
||||||
## Wichtige Konfigurationen
|
## Wichtige Konfigurationen
|
||||||
|
|
||||||
- `config/fail2ban/jail.local`
|
- `config/fail2ban/jail.local`
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
# Managed by sicherheit-install
|
# Managed by sicherheit-install
|
||||||
Protocol 2
|
Protocol 2
|
||||||
PermitRootLogin prohibit-password
|
PermitRootLogin yes
|
||||||
PasswordAuthentication no
|
PasswordAuthentication yes
|
||||||
PubkeyAuthentication yes
|
PubkeyAuthentication yes
|
||||||
PermitEmptyPasswords no
|
PermitEmptyPasswords no
|
||||||
X11Forwarding no
|
X11Forwarding no
|
||||||
|
|||||||
@@ -71,7 +71,8 @@ copy_cfg "${CONFIG_DIR}/ufw/after.rules" "/etc/ufw/after.rules"
|
|||||||
ufw default deny incoming || true
|
ufw default deny incoming || true
|
||||||
ufw default allow outgoing || true
|
ufw default allow outgoing || true
|
||||||
ufw logging medium || true
|
ufw logging medium || true
|
||||||
ufw limit OpenSSH || true
|
ufw allow ssh || true
|
||||||
|
ufw allow OpenSSH || true
|
||||||
ufw allow 80/tcp || true
|
ufw allow 80/tcp || true
|
||||||
ufw allow 443/tcp || true
|
ufw allow 443/tcp || true
|
||||||
ufw --force enable || true
|
ufw --force enable || true
|
||||||
|
|||||||
Reference in New Issue
Block a user