| #!/bin/bash |
| |
| |
|
|
| set -e |
|
|
| SSHD_CONFIG="/etc/ssh/sshd_config" |
| BACKUP_FILE="/etc/ssh/sshd_config.bak.$(date +%Y%m%d_%H%M%S)" |
|
|
| echo "==========================================" |
| echo "SSH Stability Optimization Script" |
| echo "==========================================" |
|
|
| |
| if [ -f "$SSHD_CONFIG" ]; then |
| echo "[1/5] Backing up SSH config to: $BACKUP_FILE" |
| cp "$SSHD_CONFIG" "$BACKUP_FILE" |
| else |
| echo "[ERROR] SSH config file not found: $SSHD_CONFIG" |
| exit 1 |
| fi |
|
|
| |
| echo "[2/5] Optimizing SSH configuration..." |
|
|
| |
| optimize_ssh_config() { |
| local config_key="$1" |
| local config_value="$2" |
| |
| |
| if grep -qE "^#?${config_key}\s" "$SSHD_CONFIG"; then |
| |
| sed -i "s|^#\?${config_key}\s.*|${config_key} ${config_value}|g" "$SSHD_CONFIG" |
| echo " - Updated: ${config_key} ${config_value}" |
| else |
| |
| echo "${config_key} ${config_value}" >> "$SSHD_CONFIG" |
| echo " - Added: ${config_key} ${config_value}" |
| fi |
| } |
|
|
| |
| optimize_ssh_config "PermitRootLogin" "yes" |
| optimize_ssh_config "ClientAliveInterval" "300" |
| optimize_ssh_config "ClientAliveCountMax" "3" |
| optimize_ssh_config "TCPKeepAlive" "yes" |
| optimize_ssh_config "LoginGraceTime" "60" |
| optimize_ssh_config "MaxStartups" "10:30:100" |
| optimize_ssh_config "UseDNS" "no" |
| optimize_ssh_config "GSSAPIAuthentication" "no" |
| optimize_ssh_config "PermitUserEnvironment" "yes" |
|
|
| |
| optimize_ssh_config "MaxSessions" "10" |
| optimize_ssh_config "MaxAuthTries" "6" |
| optimize_ssh_config "PubkeyAuthentication" "yes" |
| optimize_ssh_config "PasswordAuthentication" "yes" |
|
|
| |
| optimize_ssh_config "Protocol" "2" |
| optimize_ssh_config "LogLevel" "INFO" |
| optimize_ssh_config "PermitEmptyPasswords" "no" |
| optimize_ssh_config "X11Forwarding" "no" |
| optimize_ssh_config "AllowAgentForwarding" "yes" |
| optimize_ssh_config "AllowTcpForwarding" "yes" |
|
|
| echo "[3/5] Testing SSH configuration..." |
| if sshd -t 2>/dev/null; then |
| echo " - Configuration test passed" |
| else |
| echo " - [WARNING] Configuration test failed, restoring backup" |
| cp "$BACKUP_FILE" "$SSHD_CONFIG" |
| exit 1 |
| fi |
|
|
| |
| echo "[4/5] Restarting SSH service..." |
| if command -v systemctl &> /dev/null && systemctl is-active sshd &> /dev/null; then |
| systemctl restart sshd |
| sleep 2 |
| if systemctl is-active sshd &> /dev/null; then |
| echo " - SSH service restarted successfully (systemctl)" |
| else |
| echo " - [ERROR] SSH service failed to restart" |
| exit 1 |
| fi |
| elif command -v service &> /dev/null; then |
| service ssh restart |
| sleep 2 |
| if pgrep -x "sshd" > /dev/null; then |
| echo " - SSH service restarted successfully (service)" |
| else |
| echo " - [ERROR] SSH service failed to restart" |
| exit 1 |
| fi |
| else |
| echo " - [WARNING] Could not restart SSH service automatically" |
| fi |
|
|
| |
| echo "[5/5] Verifying optimization..." |
| echo "" |
| echo "Optimized SSH Configuration:" |
| echo "==========================================" |
| grep -E "^[^#]*(ClientAliveInterval|ClientAliveCountMax|TCPKeepAlive|LoginGraceTime|MaxStartups|UseDNS)" "$SSHD_CONFIG" || true |
|
|
| echo "" |
| echo "==========================================" |
| echo "SSH optimization completed successfully!" |
| echo "Backup file: $BACKUP_FILE" |
| echo "==========================================" |
| echo "" |
| echo "Recommended next steps:" |
| echo " 1. Test SSH connection: ssh -v user@localhost" |
| echo " 2. Monitor logs: tail -f /var/log/auth.log" |
| echo " 3. Verify keepalive: netstat -an | grep :22" |
| echo "" |
|
|
