Skip to content

aki66938/safely-bash

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ufw-reddns-ssh.sh
ufw-reddns-ssh.sh
 
 

Repository files navigation

Safely-Bash

A security enhancement toolkit for protecting SSH access to public-facing servers.

License: MIT

Overview

This project provides a comprehensive solution for securing SSH access to public-facing servers, particularly focusing on scenarios with dynamic IP addresses. It combines firewall rules, DDNS (Dynamic DNS), and automated scripts to create a robust security system.

Features

  • Dynamic IP-based access control
  • Automated firewall rule updates
  • Support for multiple firewall systems (UFW, firewalld, iptables)
  • Detailed logging system
  • DDNS integration

Prerequisites

  • A registered domain name (free or paid)
  • Root access to your server
  • One of the supported firewalls (UFW, firewalld, or iptables)
  • Basic understanding of Linux system administration

Security Measures

1. SSH Configuration Enhancement

Modify your SSH configuration for better security:

vim /etc/ssh/sshd_config

# Recommended settings
Port <unusual-port>              # Change from default port 22
PasswordAuthentication no       # Disable password login
PubkeyAuthentication yes       # Enable key-based authentication

2. Firewall Configuration

For Static IP Users

Choose one of the following methods based on your firewall:

UFW:

ufw allow from <client-ip> to any port <ssh-port>

Firewalld:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="<client-ip>" port protocol="tcp" port="<ssh-port>" accept' --permanent

Iptables:

iptables -A INPUT -p tcp --dport <ssh-port> -s <client-ip> -j ACCEPT

3. Dynamic IP Solution

For users with dynamic IPs, this project provides an automated solution:

  1. Set up DDNS for your domain using tools like:

  2. Use the provided script (ufw-reddns-ssh.sh) to automatically update firewall rules based on your domain's IP.

  3. Set up a cron job to run the script periodically.

Script Usage

  1. Edit the script variables:

    • DOMAIN: Your domain name
    • PORT: Your SSH port
    • LOG_FILE: Path to log file (default: /var/log/ufw_update.log)

  2. Make the script executable:

chmod +x ufw-reddns-ssh.sh
  1. Add to crontab for automatic execution:
crontab -e
# Add line: */5 * * * * /path/to/ufw-reddns-ssh.sh

Logging

The script maintains detailed logs at /var/log/ufw_update.log, including:

  • IP address changes
  • Firewall rule updates
  • Current firewall status
  • Timestamps for all operations

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Safely running a public-facing server's bash

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages