dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
b8911dc0806fb2693c48e90c9fd41cb120ea336e
fn_registry/bash/functions/cybersecurity/audit_ssh_config.sh
T
egutierrez 7c3f01c9eb feat: add bash cybersecurity audit and hardening functions 
12 funciones Bash del dominio cybersecurity: auditoria de red y servicios
(analyze_dns, audit_http_headers, inspect_ssl_cert, list_active_connections,
enumerate_subdomains, geolocate_ip), auditoria de sistema (audit_ssh_config,
check_firewall, detect_suspicious_users), y utilidades crypto (encrypt_file,
generate_password, verify_file_hash). Dominio nuevo en bash/functions/.
2026-04-12 13:54:25 +02:00

178 lines
6.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# audit_ssh_config
# ----------------
# Audita la configuración de sshd_config evaluando parámetros de seguridad,
# revisa intentos de login fallidos y lista las claves autorizadas del usuario.
#
# USO (directo):
# audit_ssh_config [/ruta/a/sshd_config]
#
# Depende de: grep, ssh (opcional para validación), journalctl o /var/log/auth.log
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../shell/bash_colors.sh"
source "$SCRIPT_DIR/../shell/bash_log.sh"
bash_colors
bash_log_init
# ─── Funciones puras ──────────────────────────────────────────────────────────
_ssh_get_value() {
local config="$1"
local key="$2"
grep -iE "^[[:space:]]*${key}[[:space:]]" "$config" 2>/dev/null \
| tail -1 | awk '{print $2}' | xargs
}
_ssh_eval_permit_root() {
local val="${1:-yes}"
case "${val,,}" in
no|prohibit-password) echo "ok" ;;
without-password) echo "warn" ;;
*) echo "bad" ;;
esac
}
_ssh_eval_password_auth() {
local val="${1:-yes}"
[[ "${val,,}" == "no" ]] && echo "ok" || echo "bad"
}
_ssh_eval_max_auth_tries() {
local val="${1:-6}"
[[ "$val" -le 3 ]] && echo "ok" || echo "warn"
}
_ssh_eval_x11_forwarding() {
local val="${1:-no}"
[[ "${val,,}" == "no" ]] && echo "ok" || echo "warn"
}
# ─── Funciones de presentación ────────────────────────────────────────────────
_ssh_print_check() {
local level="$1"
local label="$2"
local value="$3"
local note="$4"
case "$level" in
ok) echo -e " ${GREEN}[ok]${NC} ${label}: ${value}" ;;
warn) echo -e " ${YELLOW}[!] ${NC} ${label}: ${value} -- ${note}" ;;
bad) echo -e " ${RED}[x] ${NC} ${label}: ${value} -- ${note}" ;;
esac
}
_ssh_show_config_checks() {
local config="$1"
echo -e "${PURPLE}════════ Configuración sshd_config ════════════${NC}"
echo ""
local permit_root
permit_root="$(_ssh_get_value "$config" "PermitRootLogin")"
permit_root="${permit_root:-yes (por defecto)}"
_ssh_print_check "$(_ssh_eval_permit_root "$permit_root")" \
"PermitRootLogin" "$permit_root" "debería ser 'no' o 'prohibit-password'"
local pass_auth
pass_auth="$(_ssh_get_value "$config" "PasswordAuthentication")"
pass_auth="${pass_auth:-yes (por defecto)}"
_ssh_print_check "$(_ssh_eval_password_auth "$pass_auth")" \
"PasswordAuthentication" "$pass_auth" "debería ser 'no' (usar claves)"
local port
port="$(_ssh_get_value "$config" "Port")"
port="${port:-22 (por defecto)}"
if [[ "$port" == "22"* ]]; then
_ssh_print_check "warn" "Port" "$port" "considera cambiar el puerto 22"
else
_ssh_print_check "ok" "Port" "$port" ""
fi
local max_tries
max_tries="$(_ssh_get_value "$config" "MaxAuthTries")"
max_tries="${max_tries:-6 (por defecto)}"
_ssh_print_check "$(_ssh_eval_max_auth_tries "${max_tries%% *}")" \
"MaxAuthTries" "$max_tries" "recomendado <= 3"
local x11
x11="$(_ssh_get_value "$config" "X11Forwarding")"
x11="${x11:-no (por defecto)}"
_ssh_print_check "$(_ssh_eval_x11_forwarding "$x11")" \
"X11Forwarding" "$x11" "deshabilitar si no se usa"
local allow_users allow_groups
allow_users="$(_ssh_get_value "$config" "AllowUsers")"
allow_groups="$(_ssh_get_value "$config" "AllowGroups")"
if [[ -z "$allow_users" && -z "$allow_groups" ]]; then
_ssh_print_check "warn" "AllowUsers/AllowGroups" "(no definidos)" "considera restringir acceso por usuario o grupo"
else
[[ -n "$allow_users" ]] && _ssh_print_check "ok" "AllowUsers" "$allow_users" ""
[[ -n "$allow_groups" ]] && _ssh_print_check "ok" "AllowGroups" "$allow_groups" ""
fi
echo ""
}
_ssh_show_failed_logins() {
echo -e "${PURPLE}════════ Últimos intentos de login fallidos ════${NC}"
echo ""
if command -v journalctl &>/dev/null; then
journalctl -u ssh -u sshd --no-pager -q 2>/dev/null \
| grep -i "failed\|invalid\|error" | tail -10 \
| while IFS= read -r line; do echo -e " ${DIM_GRAY}${line}${NC}"; done || true
elif [[ -f /var/log/auth.log ]]; then
grep -i "failed\|invalid" /var/log/auth.log 2>/dev/null | tail -10 \
| while IFS= read -r line; do echo -e " ${DIM_GRAY}${line}${NC}"; done || true
else
info "No se encontró fuente de logs de autenticación"
fi
echo ""
}
_ssh_show_authorized_keys() {
echo -e "${PURPLE}════════ Claves autorizadas (~/.ssh) ═══════════${NC}"
echo ""
local auth_keys="$HOME/.ssh/authorized_keys"
if [[ -f "$auth_keys" ]]; then
local count
count="$(wc -l < "$auth_keys")"
info "${count} clave(s) en authorized_keys:"
while IFS= read -r line; do
[[ -z "$line" || "$line" == "#"* ]] && continue
local key_type key_comment
key_type="$(echo "$line" | awk '{print $1}')"
key_comment="$(echo "$line" | awk '{print $NF}')"
echo -e " ${GREEN}*${NC} ${key_type} -- ${key_comment}"
done < "$auth_keys"
else
info "No existe $auth_keys"
fi
echo ""
}
# ─── Punto de entrada ─────────────────────────────────────────────────────────
audit_ssh_config() {
local config_path="${1:-/etc/ssh/sshd_config}"
if [[ ! -f "$config_path" ]]; then
warning "audit_ssh_config: no se encontró $config_path -- ¿está instalado sshd?"
else
_ssh_show_config_checks "$config_path"
fi
_ssh_show_failed_logins
_ssh_show_authorized_keys
}
# Ejecutar si se llama directamente
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
audit_ssh_config "$@"
fi
Reference in New Issue View Git Blame Copy Permalink