Fallback option for ssh hardening

[avetere]

Hi there!

Thanks for this very nice script!

I have two suggestions for further improvement:

• Implement a fallback security net with a timeout of e.g. 5min when changing ssh config/hardening
  This would be to revert everything in case the user does not confirm possibility to login in time, e.g. due to a disconnect from the active session. The same could apply for 2fa setup
• Implement a check for a validated ssh key for the sudo user before revoking root access and password authentication during ssh hardening
  In caase of an existing user - as far as I have seen - there is no additional check, if a ssh key actually exists and is working.

And a small thing to think about:
Might it be beneficial to actually perform changes to sshd config in a low-lexical-order file in sshd_config.d altogether, instead of changing the default config? So as to avoid the first-mention-wins problem?

Cheers
AV

[buildplan]

Hi

Thanks for taking the time to look through the script and write this up! These are all really solid catches and make a lot of sense.

I've just pushed updates addressing all three of your points to the dev branch:

1. Added an optional timeout to the confirm function. The SSH and 2FA connection tests now have a 5-minute timeout. If the session drops and hits the timeout, it automatically assumes "no" and should trigger rollback.
2. You were totally right about key validation edge case. I extracted the SSH key generation/prompting into a new helper function. The script now forces existing users to either provide a valid key or generate a new one before it even touches the SSH config.
3. Great point on the first-match-wins rule. I renamed the drop-in file to 10-hardening.conf so it properly beats out provider defaults.

I want to test these changes and edge cases thoroughly, so I'm keeping them in the dev branch for now. Once I'm sure the rollbacks behave perfectly with the new timeout logic, I'll merge it into main.

Thanks again for the suggestions!

Cheers

[avetere]

Good to hear, the ideas were worth considering. However, I was thinking to put all changes to the sshd_config into cossesponding files in the config.d, not only to put the hardening on top.

Anyway, I am currently facing a problem, when testing this on my test-server:
The determination of current ssh port (ss -tlpn | grep sshd | grep -oP ':\K\d+' | head -n 1) is not reliable, as is gets back to Port 6010 in case X11Forwarding is still enabled.

[buildplan]

maybe i could change the ss command to

ss -tlpn | grep -E 'sshd|ssh\.socket' | awk '{print $4}' | grep -oP ':\K\d+' | grep -vE '^60[1-9][0-9]$' | head -n 1

it should ignore X11 display ports.

[buildplan]

Also, I like your suggestion i will change port override with this

    if [[ "$SSH_SERVICE" == "ssh.socket" ]]; then
        print_info "Configuring SSH socket to listen on port $SSH_PORT..."
        mkdir -p /etc/systemd/system/ssh.socket.d
        printf '%s\n' "[Socket]" "ListenStream=" "ListenStream=$SSH_PORT" > /etc/systemd/system/ssh.socket.d/override.conf
    elif [[ $ID != "ubuntu" ]] || dpkg --compare-versions "$(lsb_release -rs)" lt "24.04"; then
        print_info "Configuring SSH service to listen on port $SSH_PORT via systemd..."
        mkdir -p /etc/systemd/system/${SSH_SERVICE}.d
        printf '%s\n' "[Service]" "ExecStart=" "ExecStart=/usr/sbin/sshd -D -p $SSH_PORT" > /etc/systemd/system/${SSH_SERVICE}.d/override.conf
    fi

    # port override and hardening to a single config file
    print_info "Applying SSH hardening and port configuration to drop-in file..."
    mkdir -p /etc/ssh/sshd_config.d
    tee /etc/ssh/sshd_config.d/10-hardening.conf > /dev/null <<EOF
Port $SSH_PORT
PermitRootLogin no
PasswordAuthentication no

[avetere]

Another problem: When rolling back, because confirming ssh doesn't work after the changes (or in my case unintentionally hitting no), the complete ssh seems broken and it does not seem to listen to any ip4 ports any more,

[avetere]

ip6 still works however

[buildplan]

oh i think i have seen this in past testing and didn't know how to fix it. I will have a look at this again i think in effort to support different Ubuntu versions this has become overly complicated. I will look at this again.

[buildplan]

Can I please check what system you were testing this on? Was this issue on Ubuntu 22.04 or later?

[avetere]

This was on 24.04.4. What I do not yet understand is why it stops listening on ip4 ports and why i cannot persuade it at all to restart doing it.

[buildplan]

OK thanks I will run a few tests to see if i can reproduce i am spinning up a DO droplet with IPv6 enabled

[buildplan]

OK managed to reproduce on 22.04 it works fine but on 24.04 i can see the issue if a system has IPv6 it only binds to that during rollback.
I have now pushed a change to dev branch which should fix this and it should correctly bind to IPv4 and IPv6

If you have time test that verion to see all the helpful changes and issues you raised have been fixed

wget https://raw.githubusercontent.com/buildplan/du_setup/refs/heads/dev/du_setup.sh

[avetere]

I have now tried your updated version 0.80.1and that works as intended, including timeout and rollback.
There is only one thing I noted during the fail2ban installation, I got the following readbacks:
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:224: SyntaxWarning: invalid escape sequence '\s'
"1490349000 test failed.dns.ch", "^\stest \S+"
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:435: SyntaxWarning: invalid escape sequence '\S'
'^'+prefix+'User \S+ not allowed\n'
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:443: SyntaxWarning: invalid escape sequence '\S'
'^'+prefix+'User \S+ not allowed\n'
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:444: SyntaxWarning: invalid escape sequence '\d'
'^'+prefix+'Received disconnect from port \d+'
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:451: SyntaxWarning: invalid escape sequence '\s'
_test_variants('common', prefix="\s\S+ sshd[\d+]:\s+")
/usr/lib/python3/dist-packages/fail2ban/tests/fail2banregextestcase.py:537: SyntaxWarning: invalid escape sequence '['
'common[prefregex="^svc[\d+] connect .+$"'
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1375: SyntaxWarning: invalid escape sequence '\s'
"{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do",
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1378: SyntaxWarning: invalid escape sequence '\s'
"{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do",
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1421: SyntaxWarning: invalid escape sequence '\s'
"{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do",
/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py:1424: SyntaxWarning: invalid escape sequence '\s'
"{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do",
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /usr/lib/systemd/system/fail2ban.service.

[buildplan]

Thanks for testing. Glad it is working for you.

Regarding the SyntaxWarning outputs during the Fail2Ban installation: you can safely ignore those. Ubuntu 24.04 ships with Python 3.12, which has strict new warnings for regex escape sequences (like \s). fail2ban hasn't updated their test files to use raw strings yet, so Python spits out these warnings when apt compiles the package during installation.

It doesn't affect Fail2Ban's functionality or the script at all.

You can verify if fail2ban has been setup properly with:

sudo systemctl status fail2ban
sudo fail2ban-client status