#!/bin/bash
#####################################################
# Sec-ServerSSH - v.0.2 - Noviembre 6, 2006
# Este programa es parte del script original FSS v.0.2
# Disponible desde http://www.encuentroalternativo.com
#
# Copyright (C) 2006 Esteban Borges [esteban.borges@gmail.com]
#
#####################################################

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

#####################################################
# ChangeLog
#
# v.0.1 Noviembre 3 2006, - Securización de variables:  Puerto, Protocolo,
# PermitEmptyPasswords, PasswordAuthentication, PrintLastLog y X11Forwarding.
#
# v.0.2 Noviembre 6, 2006 - Chequeo de privilegios root al correr el script.
#                         - Securización de variables: LoginGraceTime y StrictModes.
#			  - Exclusiónde puertos asignables menores al 1024
#####################################################

REPLACE="$(which replace)"
GREP="$(which grep)"
CAT="$(which cat)"
OK="\033[1;32m[ OK ]\033[0;0m"
BAD="\033[1;31m[ BAD ]\033[0;0m"
AWK="$(which awk)"
OKMSG="$OK"
WARN="$BAD"
DN="/dev/null"

siono () {
   echo -n "Desea proceder? (si/no): "
   read PROCEDER
   until [ "$PROCEDER" = "si" ] || [ "$PROCEDER" = "no" ]; do
      echo -n "Ingresa  'si' o 'no': "
      read PROCEDER
   done
}

verssh () {
CATARCH="/etc/ssh/sshd_config"
TITLE="Verificando seguridad en SSH ( $CATARCH ) --"

echo -e "\033[1m$TITLE\033[0m"

port () {
GREPF="Port"
LOG="sshport.log"

if [ "`$GREP $GREPF $CATARCH`" = "$GREPF 22" ] || [ "`$GREP "#Port" $CATARCH | $AWK '{print $1}'`" = "#Port" ]; then
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que cambie su Puerto a uno diferente al standart (22)."
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
            read -p "¿Que puerto deseas asignar?: " SSHPORT
            while [ ! "$SSHPORT" -gt "1023" ] || [ ! "$SSHPORT" -le "65535" ]; do
               echo "El puerto indicado es inválido, debe indicar entre 1 y 65535."
               read -p "¿Que puerto deseas asignar?: " SSHPORT
            done
            echo "Has elegido '$SSHPORT'"
            siono
            if [ "$PROCEDER" = "si" ]; then
                $REPLACE "$REP1 $REP2" "$GREPF $SSHPORT" -- $CATARCH > $DN
                echo "Su puerto ha sido cambiado a $SSHPORT."
            else
                echo "Abortando."
            fi
       fi
else
      echo -e "$GREPF $OKMSG"
fi
}

proto () {
LOG="sshproto.log"
GREPF="Protocol"

if [ "`$GREP $GREPF $CATARCH`" = "$GREPF 2" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "Protocol" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que cambie su Protocolo a uno diferente al standart (1)."
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF 2" -- $CATARCH > $DN
         echo "Su Protocolo ha sido cambiado a 2."
      else
         echo "Abortando."
      fi
fi
}

emptpass () {
LOG="sshemtpypass.log"
GREPF="PermitEmptyPasswords"

if [ "`$GREP $GREPF $CATARCH`" = "$GREPF no" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que desactive la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF no" -- $CATARCH > $DN
         echo "$GREPF ha sido desactivado."
      else
         echo "Abortando."
      fi
fi
}

psauth () {
LOG="sshpassauth.log"
GREPF="PasswordAuthentication"

if [ "`$GREP -m1 $GREPF $CATARCH`" = "$GREPF yes" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que active la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF yes" -- $CATARCH > $DN
         echo "$GREPF ha sido activado."
      else
         echo "Abortando."
      fi
fi
}

lastlog () {
LOG="sshlastlog.log"
GREPF="PrintLastLog"

if [ "`$GREP $GREPF $CATARCH`" = "$GREPF yes" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que active la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF yes" -- $CATARCH > $DN
         echo "$GREPF ha sido activado."
      else
         echo "Abortando."
      fi
fi
}

stmodes () {
LOG="sshstmodes.log"
GREPF="StrictModes"

if [ "`$GREP -m1 $GREPF $CATARCH`" = "$GREPF yes" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que active la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF yes" -- $CATARCH > $DN
         echo "$GREPF ha sido activado."
      else
         echo "Abortando."
      fi
fi
}

gracetime () {
LOG="sshgracetime.log"
GREPF="LoginGraceTime"

if [ "`$GREP -m1 $GREPF $CATARCH`" = "$GREPF 120" ]; then
      echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP -m1 "$GREPF" 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      REP2="$($CAT $LOG | $AWK '{print $2}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que setee un valor de 120 segundos a la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1 $REP2" "$GREPF 120" -- $CATARCH > $DN
         echo "$GREPF ha sido activado y seteado para 120 segundos."
      else
         echo "Abortando."
      fi
fi
}

x11 () {
LOG="sshx11.log"
GREPF="X11Forwarding"

if [ "`grep $GREPF $CATARCH | egrep -v '#X11Forwarding no'`" = "#X11Forwarding yes" ]; then
     echo -e "$GREPF $OKMSG"
else
      $CAT $CATARCH | $GREP "$GREPF" | egrep -v '#X11Forwarding no' 1> $LOG
      REP1="$($CAT $LOG | $AWK '{print $1}')"
      echo -e "$GREPF $WARN"
      echo "Es recomendable que desactive la variable $GREPF"
      echo "Este script puede hacerlo por usted ahora mismo."
      siono
      if [ "$PROCEDER" = "si" ]; then
         $REPLACE "$REP1" "#$GREPF" -- $CATARCH > $DN
         echo "$GREPF ha sido desactivado."
      else
         echo "Abortando."
      fi
fi
}

port
proto
emptpass
psauth
lastlog
stmodes
gracetime
x11
}

if $(id | $GREP -q "uid=0"); then
   if [ -f /etc/ssh/sshd_config ]; then
         verssh
   else
      echo "El archivo de configuración SSH $CATARCH no existe, Abortando!"
   fi
else
   echo "Debe ser root para ejecutar este scriot. Abortando!"
fi