add arguments

moose.sh

@@ -0,0 +1,196 @@
+#!/bin/bash
+
+# Initialize variables for switches
+change_ssh_port=true
+disable_logging=true
+tor_ssh_setup=true
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --no-change-ssh-port)
+            change_ssh_port=false
+            ;;
+        --no-disable-logging)
+            disable_logging=false
+            ;;
+        --no-tor-ssh-setup)
+            tor_ssh_setup=false
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+# Check if the script is being run as root
+if [[ $EUID -ne 0 ]]; then
+    echo "This script must be run as root."
+    exit 1
+fi
+
+# Function to generate a private key using OpenSSL
+generate_private_key() {
+    read -p "Enter a username for an authorized client: " user
+    if [[ -z "$user" ]]; then
+        echo "Username cannot be empty."
+        return
+    fi
+    
+    openssl genpkey -algorithm x25519 -out "/tmp/$user.prv.pem"
+    echo "Private key for user $user generated at /tmp/$user.prv.pem"
+    
+    # Process the private key
+    cat "/tmp/$user.prv.pem" | grep -v " PRIVATE KEY" | base64 -d | tail --bytes=32 | base32 | sed 's/=//g' > "/tmp/$user.prv.key"
+    echo "Processed private key saved at /tmp/$user.prv.key"
+    
+    # Generate the public key from the private key
+    openssl pkey -in "/tmp/$user.prv.pem" -pubout | grep -v " PUBLIC KEY" | base64 -d | tail --bytes=32 | base32 | sed 's/=//g' > "/tmp/$user.pub.key"
+    echo "Public key for user $user generated at /tmp/$user.pub.key"
+    
+    # Store the encoded public key
+    encodedpub=$(cat "/tmp/$user.pub.key")
+    
+    # Create the authorized_clients file
+    authorized_clients_dir="/var/lib/tor/ssh/authorized_clients"
+    authorized_clients_file="$authorized_clients_dir/$user.auth"
+    
+    echo "descriptor:x25519:$encodedpub" > "$authorized_clients_file"
+    echo "Authorized client file created at $authorized_clients_file"
+    
+    # Reload Tor
+    systemctl restart tor
+    echo "Tor reloaded."
+}
+
+# Check if the distribution is Debian or Ubuntu-based
+if command -v apt-get &>/dev/null; then
+    # Update the package list
+    apt update
+    echo "Package list updated successfully."
+    
+    # Check if Tor is already installed
+    if ! command -v tor &>/dev/null; then
+        # Install Tor from the official Tor Project repository
+        echo "Installing Tor..."
+        apt install -y tor
+        echo "Tor installed successfully."
+    systemctl enable --now tor
+    fi
+    
+    # Add Tor configuration for SSH hidden service under the correct section if tor_ssh_setup is true
+    if [ "$tor_ssh_setup" = true ]; then
+        torrc="/etc/tor/torrc"
+        hidden_service_section="############### This section is just for location-hidden services ###"
+        if grep -q "$hidden_service_section" "$torrc"; then
+            # Add Tor configuration for SSH hidden service
+            echo -e "\n# SSH login" >> "$torrc"
+            echo "HiddenServiceDir /var/lib/tor/ssh/" >> "$torrc"
+            echo "HiddenServicePort 22 127.0.0.1:22" >> "$torrc"
+            echo "Tor configuration updated for SSH hidden service."
+            
+            # Check if systemd is the init system and enable/start Tor service
+            if command -v systemctl &>/dev/null; then
+                systemctl restart tor && sleep 5
+                echo "Tor service enabled and restarted."
+                
+                # Check if the hostname file exists
+                if [[ -f "/var/lib/tor/ssh/hostname" ]]; then
+                    # Store the hostname in a variable
+                    hostname_var=$(cat "/var/lib/tor/ssh/hostname")
+                    
+                    # Check if the authorized_clients folder exists
+                    if [[ -d "/var/lib/tor/ssh/authorized_clients" ]]; then
+                        generate_private_key
+                    fi
+                else
+                    echo "Error: The hostname file does not exist in /var/lib/tor/ssh/"
+                fi
+            else
+                echo "Systemd not found. You may need to manually manage the Tor service."
+            fi
+        else
+            echo "Error: The correct section for location-hidden services was not found in $torrc."
+            echo "Please add the configuration manually."
+        fi
+    else
+        echo "Tor SSH setup is disabled."
+    fi
+else
+    echo "This script only works with Debian-based distributions at the moment."
+    exit 1
+fi
+
+# Display the login command after the entire script finishes
+if [[ -n $hostname_var ]]; then
+    echo "Login using: torsocks ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PubkeyAuthentication=no root@$hostname_var"
+    
+    # Check if the authorized user file exists
+    authorized_clients_file="/var/lib/tor/ssh/authorized_clients/$user.auth"
+    if [[ -f "$authorized_clients_file" ]]; then
+        #onion_auth_dir="/var/lib/tor/onion_auth"
+        authorized_user_private_file="/tmp/$user.prv.key"
+        
+        # Extract hostname_var without ".onion"
+        hostname_var_no_onion="${hostname_var%.onion}"
+        
+        echo "Add this to your torrc:"
+        echo "ClientOnionAuthDir /var/lib/tor/onion_auth"
+        echo "$hostname_var_no_onion:descriptor:x25519:$(cat "$authorized_user_private_file")"
+    echo "or run this one-liner:"
+    echo "echo 'ClientOnionAuthDir /var/lib/tor/onion_auth' | sudo tee -a /etc/tor/torrc && echo '$hostname_var_no_onion:descriptor:x25519:$(cat "$authorized_user_private_file")' | sudo tee -a /var/lib/tor/onion_auth/$user.auth_private"
+    
+    fi
+fi
+
+
+if [ "$disable_logging" = true ]; then
+    systemctl disable --now rsyslog
+    systemctl disable --now systemd-journald
+    systemctl disable --now systemd-journald.socket
+    systemctl disable --now systemd-journald-dev-log.socket
+    systemctl disable --now auditd
+
+    # Make logs read-only
+    chmod 444 /var/log/wtmp
+    chmod 444 /var/log/btmp
+    chmod 444 /var/run/utmp
+    chmod 444 /var/log/lastlog
+
+    systemctl disable --now logrotate
+    systemctl disable --now logrotate.timer
+
+    sed -i 's/auth\.priv\.warning/auth\.none/' /etc/rsyslog.conf
+fi
+
+if [ "$change_ssh_port" = true ]; then
+    # Modify the SSH configuration
+    sshd_config="/etc/ssh/sshd_config"
+    if [ -e "$sshd_config" ]; then
+        if grep -qE '^#Port 22$' "$sshd_config" && grep -qE '^#ListenAddress 0.0.0.0$' "$sshd_config"; then
+            sed -i 's/^#Port 22$/Port 22/' "$sshd_config"
+            sed -i 's/^#ListenAddress 0.0.0.0$/ListenAddress 127.0.0.1/' "$sshd_config"
+            echo "SSH configuration updated in $sshd_config."
+            systemctl restart sshd
+        else
+            echo "No changes required in $sshd_config."
+        fi
+    else
+        echo "$sshd_config does not exist."
+    fi
+fi
+# notes:
+# In gentoo the default location is /var/lib/data/tor/hiddenserbicename/hostname 
+# In bsd the default location is /var/tor
+
+# remove traces of commands ran/running
+# https://github.com/hackerschoice/zapper
+
+# encrypt with decryption via ssh
+# dropbear luks ssh
+# https://github.com/hackerschoice/erfs
+
+# remove systemd
+# convert to devuan or void(perferably)
+# https://github.com/atweiden/voidvault