add running-services and ssh_harden

linux/running-services.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+# Description:  Basic Pretty Systemctl Services Status Script
+# Author:  Victor Bishop (Heretic)  |  https://github.com/Heretic312/devsecops-wrappers
+# Date:  12/12/2025
+
+# List all systemctl services and color them based on their status
+systemctl list-unit-files | awk '
+/enabled/ {print "\033[32m" $0 "\033[0m"; next}  # Green for enabled
+/disabled/ {print "\033[31m" $0 "\033[0m"; next}  # Red for disabled
+/static/ {print "\033[34m" $0 "\033[0m"; next}    # Blue for static
+/alias/ {print "\033[35m" $0 "\033[0m"; next}    # Purple for alias
+{print $0}  # Default output for other lines
+'
+
+# List all systemctl services and color the whole line for enabled services
+#systemctl list-unit-files | awk '/enabled/ {print "\033[32m" $0 "\033[0m"; next} {print $0}'
+
+
+# List all running systemctl services and highlight enabled ones with color
+#systemctl list-unit-files | grep --color=auto 'enabled'

linux/ssh_harden.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# Script Name: ssh_harden.sh
+# Description: SSH hardening script for Debian 12 (Bookworm) based on https://www.sshaudit.com/hardening_guides.html#debian_12
+# Author: Victor Bishop | https://github.com/Heretic312/devsecops-wrappers
+# Version: 1.1
+# Usage: sudo ./ssh_harden.sh
+# Notes: Adjust SSH_PORT as needed if not using port 22
+
+SSH_PORT=22  # Change this to your SSH port if not using 22
+
+# Ensure script is run as root
+if [[ $EUID -ne 0 ]]; then
+    echo "This script must be run as root." >&2
+    exit 1
+fi
+
+# Function to regenerate SSH host keys
+regenerate_ssh_keys() {
+    read -p "WARNING: This will DELETE and REGENERATE SSH host keys. Continue? (y/n): " confirm
+    [[ $confirm != [yY] ]] && echo "Cancelled." && return
+
+    echo "Regenerating SSH host keys..."
+    rm -f /etc/ssh/ssh_host_*
+    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
+    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+
+    # Clean existing HostKey lines to prevent duplication
+    sed -i '/^HostKey \/etc\/ssh\/ssh_host_/d' /etc/ssh/sshd_config
+    echo -e "HostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config
+
+    awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
+    mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+    echo "SSH host keys regenerated successfully."
+}
+
+# Function to apply SSH hardening configuration
+apply_ssh_hardening() {
+    echo "Applying SSH hardening configuration..."
+    cat > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf <<EOF
+# SSH Hardening as per sshaudit.com guide for Debian 12
+
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+RequiredRSASize 3072
+
+CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+
+HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+
+PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+EOF
+
+    systemctl restart ssh
+    echo "SSH hardening configuration applied successfully."
+}
+
+# Function to configure iptables rules
+configure_firewall() {
+    echo "Installing and configuring iptables firewall rules..."
+
+    apt-get update
+    DEBIAN_FRONTEND=noninteractive apt-get install -q -y iptables iptables-persistent netfilter-persistent
+
+    iptables -I INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set
+    iptables -I INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
+
+    ip6tables -I INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --set
+    ip6tables -I INPUT -p tcp --dport $SSH_PORT -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
+
+    netfilter-persistent save
+    echo "Firewall rules configured and saved."
+}
+
+# Main menu function
+main_menu() {
+    while true; do
+        echo "=============================="
+        echo "       SSH Configuration      "
+        echo "=============================="
+        echo "1. Regenerate SSH Host Keys"
+        echo "2. Apply SSH Hardening Configuration"
+        echo "3. Configure Firewall Rules"
+        echo "4. Exit"
+        read -rp "Choose an option: " choice
+
+        case $choice in
+            1) regenerate_ssh_keys ;;
+            2) apply_ssh_hardening ;;
+            3) configure_firewall ;;
+            4)
+                echo "Exiting script. Hasta La Vista!"
+                exit 0
+                ;;
+            *)
+                echo "Error: 'Cannot find variable \"common sense\".' Did you accidentally delete it?"
+                ;;
+        esac
+        read -rp "Press Enter to continue..."
+    done
+}
+
+# Run the menu
+main_menu