add arguments
This commit is contained in:
commit
00f33c1f01
196
moose.sh
Normal file
196
moose.sh
Normal file
@ -0,0 +1,196 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Initialize variables for switches
|
||||
change_ssh_port=true
|
||||
disable_logging=true
|
||||
tor_ssh_setup=true
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--no-change-ssh-port)
|
||||
change_ssh_port=false
|
||||
;;
|
||||
--no-disable-logging)
|
||||
disable_logging=false
|
||||
;;
|
||||
--no-tor-ssh-setup)
|
||||
tor_ssh_setup=false
|
||||
;;
|
||||
*)
|
||||
echo "Unknown option: $1"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# Check if the script is being run as root
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "This script must be run as root."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Function to generate a private key using OpenSSL
|
||||
generate_private_key() {
|
||||
read -p "Enter a username for an authorized client: " user
|
||||
if [[ -z "$user" ]]; then
|
||||
echo "Username cannot be empty."
|
||||
return
|
||||
fi
|
||||
|
||||
openssl genpkey -algorithm x25519 -out "/tmp/$user.prv.pem"
|
||||
echo "Private key for user $user generated at /tmp/$user.prv.pem"
|
||||
|
||||
# Process the private key
|
||||
cat "/tmp/$user.prv.pem" | grep -v " PRIVATE KEY" | base64 -d | tail --bytes=32 | base32 | sed 's/=//g' > "/tmp/$user.prv.key"
|
||||
echo "Processed private key saved at /tmp/$user.prv.key"
|
||||
|
||||
# Generate the public key from the private key
|
||||
openssl pkey -in "/tmp/$user.prv.pem" -pubout | grep -v " PUBLIC KEY" | base64 -d | tail --bytes=32 | base32 | sed 's/=//g' > "/tmp/$user.pub.key"
|
||||
echo "Public key for user $user generated at /tmp/$user.pub.key"
|
||||
|
||||
# Store the encoded public key
|
||||
encodedpub=$(cat "/tmp/$user.pub.key")
|
||||
|
||||
# Create the authorized_clients file
|
||||
authorized_clients_dir="/var/lib/tor/ssh/authorized_clients"
|
||||
authorized_clients_file="$authorized_clients_dir/$user.auth"
|
||||
|
||||
echo "descriptor:x25519:$encodedpub" > "$authorized_clients_file"
|
||||
echo "Authorized client file created at $authorized_clients_file"
|
||||
|
||||
# Reload Tor
|
||||
systemctl restart tor
|
||||
echo "Tor reloaded."
|
||||
}
|
||||
|
||||
# Check if the distribution is Debian or Ubuntu-based
|
||||
if command -v apt-get &>/dev/null; then
|
||||
# Update the package list
|
||||
apt update
|
||||
echo "Package list updated successfully."
|
||||
|
||||
# Check if Tor is already installed
|
||||
if ! command -v tor &>/dev/null; then
|
||||
# Install Tor from the official Tor Project repository
|
||||
echo "Installing Tor..."
|
||||
apt install -y tor
|
||||
echo "Tor installed successfully."
|
||||
systemctl enable --now tor
|
||||
fi
|
||||
|
||||
# Add Tor configuration for SSH hidden service under the correct section if tor_ssh_setup is true
|
||||
if [ "$tor_ssh_setup" = true ]; then
|
||||
torrc="/etc/tor/torrc"
|
||||
hidden_service_section="############### This section is just for location-hidden services ###"
|
||||
if grep -q "$hidden_service_section" "$torrc"; then
|
||||
# Add Tor configuration for SSH hidden service
|
||||
echo -e "\n# SSH login" >> "$torrc"
|
||||
echo "HiddenServiceDir /var/lib/tor/ssh/" >> "$torrc"
|
||||
echo "HiddenServicePort 22 127.0.0.1:22" >> "$torrc"
|
||||
echo "Tor configuration updated for SSH hidden service."
|
||||
|
||||
# Check if systemd is the init system and enable/start Tor service
|
||||
if command -v systemctl &>/dev/null; then
|
||||
systemctl restart tor && sleep 5
|
||||
echo "Tor service enabled and restarted."
|
||||
|
||||
# Check if the hostname file exists
|
||||
if [[ -f "/var/lib/tor/ssh/hostname" ]]; then
|
||||
# Store the hostname in a variable
|
||||
hostname_var=$(cat "/var/lib/tor/ssh/hostname")
|
||||
|
||||
# Check if the authorized_clients folder exists
|
||||
if [[ -d "/var/lib/tor/ssh/authorized_clients" ]]; then
|
||||
generate_private_key
|
||||
fi
|
||||
else
|
||||
echo "Error: The hostname file does not exist in /var/lib/tor/ssh/"
|
||||
fi
|
||||
else
|
||||
echo "Systemd not found. You may need to manually manage the Tor service."
|
||||
fi
|
||||
else
|
||||
echo "Error: The correct section for location-hidden services was not found in $torrc."
|
||||
echo "Please add the configuration manually."
|
||||
fi
|
||||
else
|
||||
echo "Tor SSH setup is disabled."
|
||||
fi
|
||||
else
|
||||
echo "This script only works with Debian-based distributions at the moment."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Display the login command after the entire script finishes
|
||||
if [[ -n $hostname_var ]]; then
|
||||
echo "Login using: torsocks ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@$hostname_var"
|
||||
|
||||
# Check if the authorized user file exists
|
||||
authorized_clients_file="/var/lib/tor/ssh/authorized_clients/$user.auth"
|
||||
if [[ -f "$authorized_clients_file" ]]; then
|
||||
#onion_auth_dir="/var/lib/tor/onion_auth"
|
||||
authorized_user_private_file="/tmp/$user.prv.key"
|
||||
|
||||
# Extract hostname_var without ".onion"
|
||||
hostname_var_no_onion="${hostname_var%.onion}"
|
||||
|
||||
echo "Add this to your torrc:"
|
||||
echo "ClientOnionAuthDir /var/lib/tor/onion_auth"
|
||||
echo "$hostname_var_no_onion:descriptor:x25519:$(cat "$authorized_user_private_file")"
|
||||
echo "or run this one-liner:"
|
||||
echo "echo 'ClientOnionAuthDir /var/lib/tor/onion_auth' | sudo tee -a /etc/tor/torrc && echo '$hostname_var_no_onion:descriptor:x25519:$(cat "$authorized_user_private_file")' | sudo tee -a /var/lib/tor/onion_auth/$user.auth_private"
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ "$disable_logging" = true ]; then
|
||||
systemctl disable --now rsyslog
|
||||
systemctl disable --now systemd-journald
|
||||
systemctl disable --now systemd-journald.socket
|
||||
systemctl disable --now systemd-journald-dev-log.socket
|
||||
systemctl disable --now auditd
|
||||
|
||||
# Make logs read-only
|
||||
chmod 444 /var/log/wtmp
|
||||
chmod 444 /var/log/btmp
|
||||
chmod 444 /var/run/utmp
|
||||
chmod 444 /var/log/lastlog
|
||||
|
||||
systemctl disable --now logrotate
|
||||
systemctl disable --now logrotate.timer
|
||||
|
||||
sed -i 's/auth\.priv\.warning/auth\.none/' /etc/rsyslog.conf
|
||||
fi
|
||||
|
||||
if [ "$change_ssh_port" = true ]; then
|
||||
# Modify the SSH configuration
|
||||
sshd_config="/etc/ssh/sshd_config"
|
||||
if [ -e "$sshd_config" ]; then
|
||||
if grep -qE '^#Port 22$' "$sshd_config" && grep -qE '^#ListenAddress 0.0.0.0$' "$sshd_config"; then
|
||||
sed -i 's/^#Port 22$/Port 22/' "$sshd_config"
|
||||
sed -i 's/^#ListenAddress 0.0.0.0$/ListenAddress 127.0.0.1/' "$sshd_config"
|
||||
echo "SSH configuration updated in $sshd_config."
|
||||
systemctl restart sshd
|
||||
else
|
||||
echo "No changes required in $sshd_config."
|
||||
fi
|
||||
else
|
||||
echo "$sshd_config does not exist."
|
||||
fi
|
||||
fi
|
||||
# notes:
|
||||
# In gentoo the default location is /var/lib/data/tor/hiddenserbicename/hostname
|
||||
# In bsd the default location is /var/tor
|
||||
|
||||
# remove traces of commands ran/running
|
||||
# https://github.com/hackerschoice/zapper
|
||||
|
||||
# encrypt with decryption via ssh
|
||||
# dropbear luks ssh
|
||||
# https://github.com/hackerschoice/erfs
|
||||
|
||||
# remove systemd
|
||||
# convert to devuan or void(perferably)
|
||||
# https://github.com/atweiden/voidvault
|
Loading…
Reference in New Issue
Block a user