Custom settings for SSH (IPv4 + IPv6 + allowed IPs)
Lightning-fast WordPress on Nginx
Brought to you by:
jessuppi
Menu
▾
▴
#41 Custom settings for SSH (IPv4 + IPv6 + allowed IPs)
open
nobody
None
2020-05-16
2020-05-15
Anonymous
No
Originally created by: Bronislawsky
I am still too unexperimented to fork and submit work. I have a few codes suggestions
- Possibility to enable / disable SSH _PORT on ipv4 and/or ipv6
- Possibility to restrain which IPs are allowed to ssh / sftp
- Letting ufw generate user.rules and user6.rules by itself to prevent faulty rules
The code seems to work fine though a review is highly recommenced.
ss-config
SSH_ALLOW_IPV4="true"
SSH_ALLOW_IPV6="false"
SSH_IPV4_LIST=""
SSH_IPV6_LIST=""
ss-install
####################################################################################################
#### SS-Install: Configure UFW Firewall + Set UFW Rules ############################################
####################################################################################################
## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*
## install ufw ##
apt install ufw
## ufw force disable in case something goes wrong ? ##
ufw --force disable
# Getting rid of possible faulty rules
echo '' > /etc/ufw/user.rules
echo '' > /etc/ufw/user6.rules
# Deny all incoming
ufw default deny incoming
# Allow all outgoing
ufw default allow outgoing
# Allow http
ufw allow http
# Allow https
ufw allow https
# SSH ipv4 allowed ?
if [[ "${SSH_ALLOW_IPV4}" == "true" ]]; then
if [[ -z "${SSH_IPV4_LIST}" ]]; then
ufw allow proto tcp to 0.0.0.0/0 port $SSH_PORT
else
for sship in ${SSH_IPV4_LIST}
do
ufw allow from $sship to any port $SSH_PORT
done
fi
fi
# SSH ipv6 allowed ?
if [[ "${SSH_ALLOW_IPV6}" == "true" ]]; then
if [[ -z "${SSH_IPV6_LIST}" ]]; then
ufw allow proto tcp from ::/0 to any port $SSH_PORT
else
for sship in ${SSH_IPV6_LIST}
do
ufw allow proto tcp from $sship to any port $SSH_PORT
done
fi
fi
# retrieve latest versions ##
wget -O /tmp/ufw http://http://mirrors.slickstack.io//ufw-firewall/ufw.txt
wget -O /tmp/ufw.conf http://http://mirrors.slickstack.io//ufw-firewall/ufw-conf.txt
## copy files to their destinations ##
cp /tmp/ufw /etc/default/ufw
cp /tmp/ufw.conf /etc/ufw/ufw.conf
## reset permissions ##
chown root:root /etc/default/ufw
chown root:root /etc/ufw/ufw.conf
chmod 0664 /etc/default/ufw
chmod 0664 /etc/ufw/ufw.conf
## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*
# Restart ufw
service ufw restart
ufw --force reload
ufw --force enable
ss-update
####################################################################################################
#### SS-Update: Configure UFW Firewall + Set UFW Rules (In Case Apt Overwrites UFW Files) ##########
####################################################################################################
## at least one case reported where ss-update resulted in UFW config being overwritten ##
## therefore we include this reinstallation of UFW to ensure no port lockouts ##
## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*
## install UFW firewall ##
apt install ufw
# Getting rid of possible faulty rules
echo '' > /etc/ufw/user.rules
echo '' > /etc/ufw/user6.rules
# Deny all incoming
ufw default deny incoming
# Allow all outgoing
ufw default allow outgoing
# Allow http
ufw allow http
# Allow https
ufw allow https
# SSH ipv4 allowed ?
if [[ "${SSH_ALLOW_IPV4}" == "true" ]]; then
if [[ -z "${SSH_IPV4_LIST}" ]]; then
ufw allow proto tcp to 0.0.0.0/0 port $SSH_PORT
else
for sship in ${SSH_IPV4_LIST}
do
ufw allow from $sship to any port $SSH_PORT
done
fi
fi
# SSH ipv6 allowed ?
if [[ "${SSH_ALLOW_IPV6}" == "true" ]]; then
if [[ -z "${SSH_IPV6_LIST}" ]]; then
ufw allow proto tcp from ::/0 to any port $SSH_PORT
else
for sship in ${SSH_IPV6_LIST}
do
ufw allow proto tcp from $sship to any port $SSH_PORT
done
fi
fi
# retrieve latest versions ##
wget -O /tmp/ufw http://mirrors.slickstack.io/ufw-firewall/ufw.txt
wget -O /tmp/ufw.conf http://mirrors.slickstack.io/ufw-firewall/ufw-conf.txt
## copy files to their destinations ##
cp /tmp/ufw /etc/default/ufw
cp /tmp/ufw.conf /etc/ufw/ufw.conf
## reset permissions ##
chown root:root /etc/default/ufw
chown root:root /etc/ufw/ufw.conf
chmod 0664 /etc/default/ufw
chmod 0664 /etc/ufw/ufw.conf
## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*
# Restart ufw
service ufw restart
ufw --force reload
ufw --force enable
Originally posted by: jessuppi
Embracing the "decisions, not options" mantra we've tried to avoid having too many options esp. as related to logging and networking, to establish certain norms. I'm not sure I'd support allowing too many SSH config customizations to ensure stability, esp. when IPv4 is much better/faster when it comes to dealing with SSH performance.
I think SlickStack can attract a lot of power users who have dabbled in Bash but are mostly frontend designers and developers if we keep certain settings hardcoded.
That said, I'll keep this issue open. Again please use clear Issue topics, you have mixed together several different topics here which makes it difficult to address (and others to find). All the UFW related stuff should probably be in the existing topic, or a new topic perhaps.
Originally posted by: jessuppi
Sorry, I see what you mean re: UFW integrating a possible "allowed IPs" list for SSH port now, but I think this would probably introduce tons of confusion to typical users and possible conflicts with accessing servers after they have run the
ss-installthe first time.Originally posted by: jessuppi
Perhaps in the meanwhile, we need a failsafe for super cheap VMs that don't support IPv4:
## allow IPv6 SSH sessions (any) if no IPv4 address is detected on the server ##https://github.com/littlebizzy/slickstack/blob/master/ss-install.txt#L184
Not active yet, needs some research and testing...