From 1a7cfaf42f0c5e14798430858ac2a058290e463b Mon Sep 17 00:00:00 2001 From: Dave Fatkin Date: Sat, 14 Dec 2024 15:55:38 +0000 Subject: [PATCH 1/2] Check SSH config overrides Checks the base sshd_config file for the `Include` directive. Then checks each setting against the overrides first, then the base sshd_config. Will stop at the first instance of the setting found. --- vps-audit.sh | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/vps-audit.sh b/vps-audit.sh index f32d4e4..b57fa6c 100755 --- a/vps-audit.sh +++ b/vps-audit.sh @@ -110,22 +110,33 @@ else check_security "System Restart" "PASS" "No restart required" fi +# Check SSH config overrides +SSH_OVERRIDES=$(grep "^Include" /etc/ssh/sshd_config | awk '{print $2}') + # Check SSH root login -if grep -q "^PermitRootLogin.*no" /etc/ssh/sshd_config; then +SSH_ROOT=$(grep "^PermitRootLogin" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') +if [ -z "$SSH_ROOT" ]; then + SSH_ROOT="prohibit-password" +fi +if [ "$SSH_ROOT" = "no" ]; then check_security "SSH Root Login" "PASS" "Root login is properly disabled in SSH configuration" else check_security "SSH Root Login" "FAIL" "Root login is currently allowed - this is a security risk. Disable it in /etc/ssh/sshd_config" fi # Check SSH password authentication -if grep -q "^PasswordAuthentication.*no" /etc/ssh/sshd_config; then +SSH_PASSWORD=$(grep "^PasswordAuthentication" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') +if [ -z "$SSH_PASSWORD" ]; then + SSH_PASSWORD="yes" +fi +if [ "$SSH_PASSWORD" = "no" ]; then check_security "SSH Password Auth" "PASS" "Password authentication is disabled, key-based auth only" else check_security "SSH Password Auth" "FAIL" "Password authentication is enabled - consider using key-based authentication only" fi # Check SSH default port -SSH_PORT=$(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}') +SSH_PORT=$(grep "^Port" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') if [ -z "$SSH_PORT" ]; then SSH_PORT="22" fi @@ -307,4 +318,4 @@ echo -e "Review $REPORT_FILE for detailed recommendations." # Add summary to report echo "================================" >> "$REPORT_FILE" echo "End of VPS Audit Report" >> "$REPORT_FILE" -echo "Please review all failed checks and implement the recommended fixes." >> "$REPORT_FILE" \ No newline at end of file +echo "Please review all failed checks and implement the recommended fixes." >> "$REPORT_FILE" From e52459b719a14ee13830dff62e1b6a18257a7dc3 Mon Sep 17 00:00:00 2001 From: Israel Abebe Date: Sat, 14 Dec 2024 23:00:34 +0300 Subject: [PATCH 2/2] handle cases where sshd_config.d override is missing --- vps-audit.sh | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/vps-audit.sh b/vps-audit.sh index b57fa6c..7380e6c 100755 --- a/vps-audit.sh +++ b/vps-audit.sh @@ -111,10 +111,14 @@ else fi # Check SSH config overrides -SSH_OVERRIDES=$(grep "^Include" /etc/ssh/sshd_config | awk '{print $2}') +SSH_CONFIG_OVERRIDES=$(grep "^Include" /etc/ssh/sshd_config 2>/dev/null | awk '{print $2}') -# Check SSH root login -SSH_ROOT=$(grep "^PermitRootLogin" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') +# Check SSH root login (handle both main config and overrides if they exist) +if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then + SSH_ROOT=$(grep "^PermitRootLogin" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +else + SSH_ROOT=$(grep "^PermitRootLogin" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +fi if [ -z "$SSH_ROOT" ]; then SSH_ROOT="prohibit-password" fi @@ -124,8 +128,12 @@ else check_security "SSH Root Login" "FAIL" "Root login is currently allowed - this is a security risk. Disable it in /etc/ssh/sshd_config" fi -# Check SSH password authentication -SSH_PASSWORD=$(grep "^PasswordAuthentication" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') +# Check SSH password authentication (handle both main config and overrides if they exist) +if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then + SSH_PASSWORD=$(grep "^PasswordAuthentication" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +else + SSH_PASSWORD=$(grep "^PasswordAuthentication" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +fi if [ -z "$SSH_PASSWORD" ]; then SSH_PASSWORD="yes" fi @@ -136,7 +144,11 @@ else fi # Check SSH default port -SSH_PORT=$(grep "^Port" $SSH_OVERRIDES /etc/ssh/sshd_config | head -1 | awk '{print $2}') +if [ -n "$SSH_CONFIG_OVERRIDES" ] && [ -d "$(dirname "$SSH_CONFIG_OVERRIDES")" ]; then + SSH_PORT=$(grep "^Port" $SSH_CONFIG_OVERRIDES /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +else + SSH_PORT=$(grep "^Port" /etc/ssh/sshd_config 2>/dev/null | head -1 | awk '{print $2}') +fi if [ -z "$SSH_PORT" ]; then SSH_PORT="22" fi