2023-10-17 02:03:12 +00:00
#!/bin/bash
# Initialize variables for switches
change_ssh_port = true
disable_logging = true
tor_ssh_setup = true
while [ [ $# -gt 0 ] ] ; do
case " $1 " in
--no-change-ssh-port)
change_ssh_port = false
; ;
--no-disable-logging)
disable_logging = false
; ;
--no-tor-ssh-setup)
tor_ssh_setup = false
; ;
*)
echo " Unknown option: $1 "
exit 1
; ;
esac
shift
done
# Check if the script is being run as root
if [ [ $EUID -ne 0 ] ] ; then
echo "This script must be run as root."
exit 1
fi
# Function to generate a private key using OpenSSL
generate_private_key( ) {
read -p "Enter a username for an authorized client: " user
if [ [ -z " $user " ] ] ; then
echo "Username cannot be empty."
return
fi
openssl genpkey -algorithm x25519 -out " /tmp/ $user .prv.pem "
echo " Private key for user $user generated at /tmp/ $user .prv.pem "
# Process the private key
cat " /tmp/ $user .prv.pem " | grep -v " PRIVATE KEY" | base64 -d | tail --bytes= 32 | base32 | sed 's/=//g' > " /tmp/ $user .prv.key "
echo " Processed private key saved at /tmp/ $user .prv.key "
# Generate the public key from the private key
openssl pkey -in " /tmp/ $user .prv.pem " -pubout | grep -v " PUBLIC KEY" | base64 -d | tail --bytes= 32 | base32 | sed 's/=//g' > " /tmp/ $user .pub.key "
echo " Public key for user $user generated at /tmp/ $user .pub.key "
# Store the encoded public key
encodedpub = $( cat " /tmp/ $user .pub.key " )
# Create the authorized_clients file
authorized_clients_dir = "/var/lib/tor/ssh/authorized_clients"
authorized_clients_file = " $authorized_clients_dir / $user .auth "
echo " descriptor:x25519: $encodedpub " > " $authorized_clients_file "
echo " Authorized client file created at $authorized_clients_file "
# Reload Tor
systemctl restart tor
echo "Tor reloaded."
}
# Check if the distribution is Debian or Ubuntu-based
if command -v apt-get & >/dev/null; then
# Update the package list
apt update
echo "Package list updated successfully."
# Check if Tor is already installed
if ! command -v tor & >/dev/null; then
# Install Tor from the official Tor Project repository
echo "Installing Tor..."
apt install -y tor
echo "Tor installed successfully."
systemctl enable --now tor
fi
# Add Tor configuration for SSH hidden service under the correct section if tor_ssh_setup is true
if [ " $tor_ssh_setup " = true ] ; then
torrc = "/etc/tor/torrc"
hidden_service_section = "############### This section is just for location-hidden services ###"
if grep -q " $hidden_service_section " " $torrc " ; then
# Add Tor configuration for SSH hidden service
echo -e "\n# SSH login" >> " $torrc "
echo "HiddenServiceDir /var/lib/tor/ssh/" >> " $torrc "
echo "HiddenServicePort 22 127.0.0.1:22" >> " $torrc "
echo "Tor configuration updated for SSH hidden service."
# Check if systemd is the init system and enable/start Tor service
if command -v systemctl & >/dev/null; then
systemctl restart tor && sleep 5
echo "Tor service enabled and restarted."
# Check if the hostname file exists
if [ [ -f "/var/lib/tor/ssh/hostname" ] ] ; then
# Store the hostname in a variable
hostname_var = $( cat "/var/lib/tor/ssh/hostname" )
# Check if the authorized_clients folder exists
if [ [ -d "/var/lib/tor/ssh/authorized_clients" ] ] ; then
generate_private_key
fi
else
echo "Error: The hostname file does not exist in /var/lib/tor/ssh/"
fi
else
echo "Systemd not found. You may need to manually manage the Tor service."
fi
else
echo " Error: The correct section for location-hidden services was not found in $torrc . "
echo "Please add the configuration manually."
fi
else
echo "Tor SSH setup is disabled."
fi
else
echo "This script only works with Debian-based distributions at the moment."
exit 1
fi
# Display the login command after the entire script finishes
if [ [ -n $hostname_var ] ] ; then
echo " Login using: torsocks ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@ $hostname_var "
# Check if the authorized user file exists
authorized_clients_file = " /var/lib/tor/ssh/authorized_clients/ $user .auth "
if [ [ -f " $authorized_clients_file " ] ] ; then
#onion_auth_dir="/var/lib/tor/onion_auth"
authorized_user_private_file = " /tmp/ $user .prv.key "
# Extract hostname_var without ".onion"
hostname_var_no_onion = " ${ hostname_var %.onion } "
echo "Add this to your torrc:"
echo "ClientOnionAuthDir /var/lib/tor/onion_auth"
echo " $hostname_var_no_onion :descriptor:x25519: $( cat " $authorized_user_private_file " ) "
echo "or run this one-liner:"
echo " echo 'ClientOnionAuthDir /var/lib/tor/onion_auth' | sudo tee -a /etc/tor/torrc && echo ' $hostname_var_no_onion :descriptor:x25519: $( cat " $authorized_user_private_file " ) ' | sudo tee -a /var/lib/tor/onion_auth/ $user .auth_private "
fi
fi
if [ " $disable_logging " = true ] ; then
2023-10-18 01:54:07 +00:00
# Files to modify and make read-only and immutable
log_files = ( "/var/log/wtmp" "/var/log/btmp" "/var/run/utmp" "/var/log/lastlog" )
2023-10-17 02:03:12 +00:00
2023-10-18 01:54:07 +00:00
# Disable logging services
for service in rsyslog systemd-journald systemd-journald.socket systemd-journald-dev-log.socket auditd logrotate logrotate.timer; do
if systemctl is-active --quiet " $service " ; then
systemctl disable --now " $service "
fi
done
2023-10-17 02:03:12 +00:00
2023-10-18 01:54:07 +00:00
# Modify rsyslog configuration
if [ -f /etc/rsyslog.conf ] ; then
sed -i 's/auth\.priv\.warning/auth\.none/' /etc/rsyslog.conf
fi
2023-10-17 02:03:12 +00:00
2023-10-18 01:54:07 +00:00
# Make log files read-only and immutable
for log in " ${ log_files [@] } " ; do
if [ -f " $log " ] ; then
> " $log "
chmod 444 " $log "
chattr +i " $log "
fi
done
2023-10-17 02:03:12 +00:00
fi
if [ " $change_ssh_port " = true ] ; then
# Modify the SSH configuration
sshd_config = "/etc/ssh/sshd_config"
if [ -e " $sshd_config " ] ; then
if grep -qE '^#Port 22$' " $sshd_config " && grep -qE '^#ListenAddress 0.0.0.0$' " $sshd_config " ; then
sed -i 's/^#Port 22$/Port 22/' " $sshd_config "
sed -i 's/^#ListenAddress 0.0.0.0$/ListenAddress 127.0.0.1/' " $sshd_config "
echo " SSH configuration updated in $sshd_config . "
systemctl restart sshd
else
echo " No changes required in $sshd_config . "
fi
else
echo " $sshd_config does not exist. "
fi
fi
# notes:
# In gentoo the default location is /var/lib/data/tor/hiddenserbicename/hostname
# In bsd the default location is /var/tor
# remove traces of commands ran/running
# https://github.com/hackerschoice/zapper
# encrypt with decryption via ssh
# dropbear luks ssh
# https://github.com/hackerschoice/erfs
# remove systemd
# convert to devuan or void(perferably)
# https://github.com/atweiden/voidvault