From d11d0a5d7114b2809c99adbc90340fe046dbfccb Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 10:34:35 +0100 Subject: [PATCH 01/20] fix: Added newline at the end of the ssh banner Fixes the issue where erros would be shown inline with the last line of the banner. --- sshd/banner | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sshd/banner b/sshd/banner index ed0e0f3..baebf41 100644 --- a/sshd/banner +++ b/sshd/banner @@ -5,4 +5,4 @@ _/ |\__,_|_| |_| |_| .__/|_.__/ \___/_/\_\ |__/ |_| -|> https://github.com/willfantom/jumpbox <| \ No newline at end of file +|> https://github.com/willfantom/jumpbox <| From d8b8642d06974abfc5ee80b23ec26e7fef3317b9 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 10:37:41 +0100 Subject: [PATCH 02/20] =?UTF-8?q?chore:=20Cleaned=20up=20entrypoint=20scri?= =?UTF-8?q?pt=20=F0=9F=A7=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- build/entrypoint.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index fa25b94..f67d4c2 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -1,5 +1,10 @@ -#!/bin/ash -set -e +#!/usr/bin/env bash +set -o errexit +set -o nounset +set -o pipefail +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi echo "Setting up host keys..." hostkeys_dir=/etc/ssh/hostkeys.d @@ -17,10 +22,10 @@ echo "Setting up users..." keys_dir=/etc/ssh/keys.d mkdir -p ${keys_dir} echo "Creating users..." -jq -r 'keys_unsorted[]' ${keys_dir}/authorized_keys.json | while read u; do +jq -r 'keys_unsorted[]' ${keys_dir}/authorized_keys.json | while read -r u; do echo "Creating user ${u}" adduser -D -H -s /sbin/nologin "${u}" - sed -i s/${u}:!/"${u}:*"/g /etc/shadow + sed -i s/"${u}:!"/"${u}:*"/g /etc/shadow done echo "Creating sshd configuration..." @@ -29,8 +34,8 @@ mv /etc/ssh/sshd_config_envsubst /etc/ssh/sshd_config if [[ ${ENDLESSH_PORT} -ne "0" ]]; then echo "Running endlessh server..." - /usr/local/bin/endlessh -p ${ENDLESSH_PORT} -v & + /usr/local/bin/endlessh -p "${ENDLESSH_PORT}" -v & fi echo "Running SSH server..." -/usr/sbin/sshd -D -f /etc/ssh/sshd_config -e -p ${SSHD_PORT} +/usr/sbin/sshd -D -f /etc/ssh/sshd_config -e -p "${SSHD_PORT}" From 7009299b7f5b5292d5d9a7c55bf4088ff6cce5fe Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 10:39:04 +0100 Subject: [PATCH 03/20] =?UTF-8?q?chore:=20Cleaned=20up=20authorized=5Fkeys?= =?UTF-8?q?=20script=20=F0=9F=A7=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sshd/authorized_keys.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sshd/authorized_keys.sh b/sshd/authorized_keys.sh index 37f232e..3957afa 100755 --- a/sshd/authorized_keys.sh +++ b/sshd/authorized_keys.sh @@ -1,4 +1,10 @@ -#!/bin/ash +#!/usr/bin/env bash +set -o errexit +set -o nounset +set -o pipefail +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi # validate the username, sanitizing the lookup next regex="^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$" @@ -7,7 +13,7 @@ if [[ ! $1 =~ ${regex} ]]; then fi # find keys for given user -jq -r -c .${1}'[]' /etc/ssh/keys.d/authorized_keys.json | while read k; do +jq -r -c ."${1}"'[]' /etc/ssh/keys.d/authorized_keys.json | while read -r k; do echo "$k" exit 0 done From 2eb1abb5e7af37f52faa393563bcba9fd4b89d7a Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 10:43:21 +0100 Subject: [PATCH 04/20] chore: Updated example for sshd port config Also updated the docs to reflect this. Using some upcoming features will require that the exposed port and the internal port are the same. --- .gitignore | 3 ++- README.md | 2 +- example/.env | 1 + example/docker-compose.yml | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 example/.env diff --git a/.gitignore b/.gitignore index cd172d9..24d79fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ example/* -!example/authorized_keys.json +!example/.env +!example/docker-compose.yml diff --git a/README.md b/README.md index 40dd25b..b68b0a1 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ This is perhaps the best way to use Jumpbox, especially if it is for an organiza ## Configuration -- **SSH Server**: Configure the SSH server by modifying the [`sshd_config`](sshd/sshd_config) file. Included is a sensible default for a Jumpbox host as of November 2022. To modify the internal port used for the SSH server, make sure to use the `SSHD_PORT` environment variable. +- **SSH Server**: Configure the SSH server by modifying the [`sshd_config`](sshd/sshd_config) file. Included is a sensible default for a Jumpbox host as of November 2022. To modify the internal port used for the SSH server, make sure to use the `SSHD_PORT` environment variable. Also, always ensure that the internal SSH server port is the same as the exposed port. Having a port mapping where the internal and external ports are different will break some features. See the example docker-compose file for more on how to do this easily. - **Users & Keys**: Regardless of if you are using baked in keys or mounted, the format anc common issues are the same. See [here](./example/keys/README.md) for more. diff --git a/example/.env b/example/.env new file mode 100644 index 0000000..1701f75 --- /dev/null +++ b/example/.env @@ -0,0 +1 @@ +SSHD_PORT=2222 \ No newline at end of file diff --git a/example/docker-compose.yml b/example/docker-compose.yml index c998961..302b12c 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -6,12 +6,12 @@ services: image: ghcr.io/willfantom/jumpbox:latest ports: - 22:22/tcp - - 2222:2222/tcp + - ${SSHD_PORT}:${SSHD_PORT}/tcp volumes: - ./hostkeys:/etc/ssh/hostkeys.d # - ./keys:/etc/ssh/keys.d # Include to use mounted keys rather than the ones baked in environment: - - SSHD_PORT=2222 + - SSHD_PORT=${SSHD_PORT} - ENDLESSH_PORT=22 labels: - "com.centurylinklabs.watchtower.scope=sshjumpbox" From 371c92eb2fb4290bc418bd8c012728c5434cfe18 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 10:59:27 +0100 Subject: [PATCH 05/20] fix: Write sshd logs to syslog --- sshd/sshd_config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sshd/sshd_config b/sshd/sshd_config index 99ff163..c7c8173 100644 --- a/sshd/sshd_config +++ b/sshd/sshd_config @@ -33,3 +33,7 @@ ClientAliveCountMax 20 ClientAliveInterval 30 PrintMotd no Banner /etc/ssh/banner + +# Use Syslog +SyslogFacility DAEMON +LogLevel DEBUG3 From ff2f0310cb308fcb4c7f5a24cfad68c329507680 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:00:16 +0100 Subject: [PATCH 06/20] feature: Add syslogger to the jumpbox docker image --- build/Dockerfile | 14 ++++++++++---- build/entrypoint.sh | 12 ++++++++++-- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 5284074..3657adb 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,18 @@ ARG ENDLESSH_VERSION=1.1 RUN git clone -b ${ENDLESSH_VERSION} https://github.com/skeeto/endlessh . RUN make + FROM alpine:3.17 -RUN apk add --no-cache curl \ +RUN apk add --no-cache --progress --quiet \ + bash \ + curl \ gettext \ jq \ openssh-server \ - shadow + shadow \ + syslog-ng \ + tzdata COPY --from=endlessh-builder /src/endlessh /usr/local/bin/endlessh @@ -27,7 +32,8 @@ COPY sshd/sshd_config /etc/ssh/sshd_config_template COPY keys/authorized_keys.json /etc/ssh/keys.d/authorized_keys.json RUN chown nobody:nogroup /etc/ssh/keys.d/authorized_keys.json -ENV SSHD_PORT 2222 -ENV ENDLESSH_PORT 22 +ENV TZ=Europe/London +ENV SSHD_PORT=2222 +ENV ENDLESSH_PORT=22 ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] diff --git a/build/entrypoint.sh b/build/entrypoint.sh index f67d4c2..8a9bacc 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -6,6 +6,11 @@ if [[ "${TRACE-0}" == "1" ]]; then set -o xtrace fi +echo "Setting timezone..." +TZ=${TZ:-UTC} +ln -snf "/usr/share/zoneinfo/${TZ}" /etc/localtime +echo "${TZ}" > /etc/timezone + echo "Setting up host keys..." hostkeys_dir=/etc/ssh/hostkeys.d mkdir -p ${hostkeys_dir} @@ -32,10 +37,13 @@ echo "Creating sshd configuration..." envsubst < /etc/ssh/sshd_config_template > /etc/ssh/sshd_config_envsubst mv /etc/ssh/sshd_config_envsubst /etc/ssh/sshd_config -if [[ ${ENDLESSH_PORT} -ne "0" ]]; then +echo "Running syslog..." +syslog-ng + +if [[ "${ENDLESSH_PORT}" -ne "0" ]]; then echo "Running endlessh server..." /usr/local/bin/endlessh -p "${ENDLESSH_PORT}" -v & fi echo "Running SSH server..." -/usr/sbin/sshd -D -f /etc/ssh/sshd_config -e -p "${SSHD_PORT}" +/usr/sbin/sshd -D -f /etc/ssh/sshd_config -p "${SSHD_PORT}" From 1ac96438d7122dbeafb7e7e4f72412dbef8aadad Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:01:46 +0100 Subject: [PATCH 07/20] feature: Added fail2ban docker image --- build/fail2ban.Dockerfile | 22 ++++++++++++++++++++++ build/fail2ban.entrypoint.sh | 18 ++++++++++++++++++ fail2ban/sshd.conf | 15 +++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 build/fail2ban.Dockerfile create mode 100644 build/fail2ban.entrypoint.sh create mode 100644 fail2ban/sshd.conf diff --git a/build/fail2ban.Dockerfile b/build/fail2ban.Dockerfile new file mode 100644 index 0000000..e3e3227 --- /dev/null +++ b/build/fail2ban.Dockerfile @@ -0,0 +1,22 @@ +FROM alpine:3.17 + +RUN apk add --no-cache --progress --quiet \ + bash \ + fail2ban \ + ipset \ + iptables \ + ip6tables \ + kmod \ + nftables \ + tzdata + +RUN rm -r /etc/fail2ban/jail.d/* +COPY fail2ban/sshd.conf /etc/fail2ban/jail.d/sshd.conf + +COPY build/fail2ban.entrypoint.sh /usr/local/bin/entrypoint.sh +RUN chmod +x /usr/local/bin/entrypoint.sh + +ENV TZ=Europe/London +ENV SSHD_PORT=2222 + +ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ] diff --git a/build/fail2ban.entrypoint.sh b/build/fail2ban.entrypoint.sh new file mode 100644 index 0000000..ca0f3f7 --- /dev/null +++ b/build/fail2ban.entrypoint.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash +set -o errexit +set -o nounset +set -o pipefail +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +echo "Setting timezone..." +TZ=${TZ:-UTC} +ln -snf "/usr/share/zoneinfo/${TZ}" /etc/localtime +echo "${TZ}" > /etc/timezone + +echo "Configuring fail2ban..." +sed -i "s/port = ssh/port = ${SSHD_PORT}/g" /etc/fail2ban/jail.d/sshd.conf + +echo "Running fail2ban..." +fail2ban-server -x -v -f start diff --git a/fail2ban/sshd.conf b/fail2ban/sshd.conf new file mode 100644 index 0000000..6baefdb --- /dev/null +++ b/fail2ban/sshd.conf @@ -0,0 +1,15 @@ +[sshd] +enabled = true +filter = alpine-sshd +logpath = /var/log/messages +maxretry = 10 +chain = INPUT +port = ssh + +[sshd-ddos] +enabled = true +filter = alpine-sshd-ddos +logpath = /var/log/messages +maxretry = 10 +chain = INPUT +port = ssh From d1fda44eb3ef1ce3b236954df74ddaaa89182ffd Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:02:07 +0100 Subject: [PATCH 08/20] chore: Updated name of the release workflow --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7d6903..7b9e648 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: Release +name: Release Jumpbox on: workflow_dispatch: From 842f8337c19eebf1ce1865437356379e22d584f9 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:05:56 +0100 Subject: [PATCH 09/20] =?UTF-8?q?feature:=20Added=20fail2ban=20image=20rel?= =?UTF-8?q?ease=20workflow=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fail2ban.yml | 54 ++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/fail2ban.yml diff --git a/.github/workflows/fail2ban.yml b/.github/workflows/fail2ban.yml new file mode 100644 index 0000000..efb6834 --- /dev/null +++ b/.github/workflows/fail2ban.yml @@ -0,0 +1,54 @@ +name: Release Fail2Ban + +on: + workflow_dispatch: + schedule: + - cron: "0 2 1 * *" + push: + tags: + - "v*" + +jobs: + docker-release: + name: Fail2Ban Docker Release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup QEMU + uses: docker/setup-qemu-action@v2 + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Container Metadata + id: metadata + uses: docker/metadata-action@v4 + with: + images: | + ghcr.io/${{ github.repository_owner }}/jumpbox-fail2ban + flavor: | + latest=false + prefix= + suffix= + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=branch + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + - name: Build and Push Container + uses: docker/build-push-action@v3 + with: + context: . + file: build/fail2ban.Dockerfile + push: true + platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7 + tags: ${{ steps.metadata.outputs.tags }} + labels: ${{ steps.metadata.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max From b33e827a4ec8383283775dff0233f4a821b6ea27 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:07:26 +0100 Subject: [PATCH 10/20] chore: Updated compose example for fail2ban --- example/.env | 4 +++- example/docker-compose.yml | 28 ++++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/example/.env b/example/.env index 1701f75..de5a862 100644 --- a/example/.env +++ b/example/.env @@ -1 +1,3 @@ -SSHD_PORT=2222 \ No newline at end of file +SSHD_PORT=2222 +ENDLESSH_PORT=22 +TZ=Europe/London diff --git a/example/docker-compose.yml b/example/docker-compose.yml index 302b12c..70f2399 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -4,26 +4,46 @@ services: jumpbox: container_name: jumpbox image: ghcr.io/willfantom/jumpbox:latest + restart: unless-stopped ports: - - 22:22/tcp + - ${ENDLESSH_PORT}:${ENDLESSH_PORT}/tcp - ${SSHD_PORT}:${SSHD_PORT}/tcp volumes: - ./hostkeys:/etc/ssh/hostkeys.d + - ./logs:/var/log:rw # - ./keys:/etc/ssh/keys.d # Include to use mounted keys rather than the ones baked in environment: + - TZ=${TZ} - SSHD_PORT=${SSHD_PORT} - - ENDLESSH_PORT=22 + - ENDLESSH_PORT=${ENDLESSH_PORT} labels: - "com.centurylinklabs.watchtower.scope=sshjumpbox" - "com.centurylinklabs.watchtower.enable=true" - # Required for auto-pulling updated images from github watchtower: - container_name: watchtower + container_name: jumpbox_watchtower image: containrrr/watchtower + restart: unless-stopped volumes: - /var/run/docker.sock:/var/run/docker.sock command: --interval 30 --scope sshjumpbox labels: - "com.centurylinklabs.watchtower.scope=sshjumpbox" - "com.centurylinklabs.watchtower.enable=false" + + fail2ban: + container_name: jumpbox_fail2ban + image: ghcr.io/willfantom/jumpbox-fail2ban:latest + restart: unless-stopped + cap_add: + - NET_ADMIN + - NET_RAW + network_mode: host + volumes: + - ./logs:/var/log:rw + environment: + - TZ=${TZ} + - SSHD_PORT=${SSHD_PORT} + labels: + - "com.centurylinklabs.watchtower.scope=sshjumpbox" + - "com.centurylinklabs.watchtower.enable=true" From 28bc12961665c40049921bb66e93e610e154592a Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:19:44 +0100 Subject: [PATCH 11/20] fix: Apply f2b rules on the DOCKER-USER chain --- fail2ban/sshd.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fail2ban/sshd.conf b/fail2ban/sshd.conf index 6baefdb..049b05b 100644 --- a/fail2ban/sshd.conf +++ b/fail2ban/sshd.conf @@ -3,7 +3,7 @@ enabled = true filter = alpine-sshd logpath = /var/log/messages maxretry = 10 -chain = INPUT +chain = DOCKER-USER port = ssh [sshd-ddos] @@ -11,5 +11,5 @@ enabled = true filter = alpine-sshd-ddos logpath = /var/log/messages maxretry = 10 -chain = INPUT +chain = DOCKER-USER port = ssh From 9caddb9eaa0a024212ba3b91d826b6adac2cb3fb Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 11:21:35 +0100 Subject: [PATCH 12/20] fix: Added delay between server start and audit --- .github/workflows/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index ad179b2..efccb8b 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -31,7 +31,7 @@ jobs: cache-to: type=gha,mode=max - name: Run Test Container run: | - docker run --rm -d -e SSHD_PORT=2222 -p 2222:2222 --name jumpbox jumpbox:policy-test + docker run --rm -d -e SSHD_PORT=2222 -p 2222:2222 --name jumpbox jumpbox:policy-test && sleep 10 - name: Setup Python uses: actions/setup-python@v4 with: From de0c1fbf52a1ba0a1516e2139290530048f6ed6d Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 13:15:14 +0100 Subject: [PATCH 13/20] refactor: Switch from syslog-ng to rsyslog --- build/Dockerfile | 2 +- build/entrypoint.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 3657adb..a642b6c 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -15,8 +15,8 @@ RUN apk add --no-cache --progress --quiet \ gettext \ jq \ openssh-server \ + rsyslog \ shadow \ - syslog-ng \ tzdata COPY --from=endlessh-builder /src/endlessh /usr/local/bin/endlessh diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 8a9bacc..66d9012 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -38,7 +38,7 @@ envsubst < /etc/ssh/sshd_config_template > /etc/ssh/sshd_config_envsubst mv /etc/ssh/sshd_config_envsubst /etc/ssh/sshd_config echo "Running syslog..." -syslog-ng +rsyslogd if [[ "${ENDLESSH_PORT}" -ne "0" ]]; then echo "Running endlessh server..." From cbcc114e3caab26449ca2640dfd7e031949507d5 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 13:18:51 +0100 Subject: [PATCH 14/20] fix: Configure rsyslog before running --- build/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/Dockerfile b/build/Dockerfile index a642b6c..fc199d2 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -19,6 +19,8 @@ RUN apk add --no-cache --progress --quiet \ shadow \ tzdata +RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf + COPY --from=endlessh-builder /src/endlessh /usr/local/bin/endlessh COPY sshd/authorized_keys.sh /etc/ssh/authorized_keys.sh From 5695d781aea351a3169ecd4f3e297e0b0e68a38f Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 13:25:47 +0100 Subject: [PATCH 15/20] fix: Force correct perms for generated host keys --- build/entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 66d9012..6789654 100644 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -20,6 +20,7 @@ for t in ed25519 rsa-sha2-256 rsa-sha2-512; do echo "Generating ${t} host key" rm -f "${file_name}" "${file_name}.pub" ssh-keygen -t $t -h -q -N "" -C "" -f "$file_name" + chmod 0600 "${file_name}" fi done From 34e20993dda6552d38fa4125d681f31895af6132 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 13:31:20 +0100 Subject: [PATCH 16/20] fix: Reduced logging level to respect privacy --- sshd/sshd_config | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sshd/sshd_config b/sshd/sshd_config index c7c8173..ce61910 100644 --- a/sshd/sshd_config +++ b/sshd/sshd_config @@ -35,5 +35,4 @@ PrintMotd no Banner /etc/ssh/banner # Use Syslog -SyslogFacility DAEMON -LogLevel DEBUG3 +SyslogFacility AUTH From 2e90e7e1e4b35d15f404ae1186b8caecb34b0339 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 13:32:02 +0100 Subject: [PATCH 17/20] docs: Added Fail2ban info to README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b68b0a1..276ea53 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Whilst the objective of this project was to keep things simple (a large motivato - **Policy**: To ensure the SSH server being deployed is hardened as desired, you can use [`ssh-audit`](https://github.com/jtesta/ssh-audit), a tool that can check if an SSH server meets a given configuration security policy. Included is a good starting policy for an SSH server using OpenSSH 9, ensuring all and only the recommended key types (Host, Kex, Macs) are supported. +- **Fail2Ban**: Writes logs to a file via a syslog server, in turn allowing [Fail2Ban](https://www.fail2ban.org/wiki/index.php/Main_Page) to block malicious connections. As Fail2Ban is expected to exist outside the jumpbox container (either on the host system or in a different container), the jumpbox itself needs no extra permissions to support this. See the example [docker-compose](./example/docker-compose.yml) for a way to set this up. + - **Actions**: The dockerized jumpbox here, along with [`watchtower`](https://containrrr.dev/watchtower/) can create an SSH server managed by GitHub Actions. Provided the SSH users and keys are [baked in](#full-usage), the Release workflow provided with this repository will: - Validate the `authorized_keys` JSON file - Ensure all provided users are valid usernames From 24ad1d078b14def1f4d52af72acd3c42fe841d41 Mon Sep 17 00:00:00 2001 From: Will Fantom Date: Sat, 1 Apr 2023 17:29:47 +0100 Subject: [PATCH 18/20] fix: Support nftables with fail2ban --- build/fail2ban.Dockerfile | 6 ++++-- fail2ban/action.d/nftables-common.local | 3 +++ fail2ban/jail.d/default.conf | 2 ++ fail2ban/{ => jail.d}/sshd.conf | 0 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 fail2ban/action.d/nftables-common.local create mode 100644 fail2ban/jail.d/default.conf rename fail2ban/{ => jail.d}/sshd.conf (100%) diff --git a/build/fail2ban.Dockerfile b/build/fail2ban.Dockerfile index e3e3227..c6f8eed 100644 --- a/build/fail2ban.Dockerfile +++ b/build/fail2ban.Dockerfile @@ -10,8 +10,10 @@ RUN apk add --no-cache --progress --quiet \ nftables \ tzdata -RUN rm -r /etc/fail2ban/jail.d/* -COPY fail2ban/sshd.conf /etc/fail2ban/jail.d/sshd.conf +RUN rm -r /etc/fail2ban/jail.d/* && \ + rm -rf /etc/fail2ban/action.d/nftables-common.local +COPY fail2ban/jail.d/* /etc/fail2ban/jail.d/ +COPY fail2ban/action.d/nftables-common.local /etc/fail2ban/action.d/nftables-common.local COPY build/fail2ban.entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod +x /usr/local/bin/entrypoint.sh diff --git a/fail2ban/action.d/nftables-common.local b/fail2ban/action.d/nftables-common.local new file mode 100644 index 0000000..daf6c62 --- /dev/null +++ b/fail2ban/action.d/nftables-common.local @@ -0,0 +1,3 @@ +[Init] +table = f2b-table-docker +chain_hook = forward diff --git a/fail2ban/jail.d/default.conf b/fail2ban/jail.d/default.conf new file mode 100644 index 0000000..74cf886 --- /dev/null +++ b/fail2ban/jail.d/default.conf @@ -0,0 +1,2 @@ +[DEFAULT] +banaction = nftables[type=multiport] diff --git a/fail2ban/sshd.conf b/fail2ban/jail.d/sshd.conf similarity index 100% rename from fail2ban/sshd.conf rename to fail2ban/jail.d/sshd.conf From 9ac0d3352a065d0399982867146958d28da73162 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Apr 2023 09:02:50 +0000 Subject: [PATCH 19/20] chore: Bump docker/build-push-action from 3 to 4 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 4. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/fail2ban.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fail2ban.yml b/.github/workflows/fail2ban.yml index efb6834..5fd2c27 100644 --- a/.github/workflows/fail2ban.yml +++ b/.github/workflows/fail2ban.yml @@ -42,7 +42,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} - name: Build and Push Container - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v4 with: context: . file: build/fail2ban.Dockerfile From 40a7b5c700ae33e9505947eafd6319b1dd224ab7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 May 2023 09:00:23 +0000 Subject: [PATCH 20/20] chore: Bump alpine from 3.17 to 3.18 in /build Bumps alpine from 3.17 to 3.18. --- updated-dependencies: - dependency-name: alpine dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- build/Dockerfile | 4 ++-- build/fail2ban.Dockerfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index fc199d2..532e42d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17 as endlessh-builder +FROM alpine:3.18 as endlessh-builder RUN apk add --no-cache build-base git WORKDIR /src @@ -7,7 +7,7 @@ RUN git clone -b ${ENDLESSH_VERSION} https://github.com/skeeto/endlessh . RUN make -FROM alpine:3.17 +FROM alpine:3.18 RUN apk add --no-cache --progress --quiet \ bash \ diff --git a/build/fail2ban.Dockerfile b/build/fail2ban.Dockerfile index c6f8eed..3146f57 100644 --- a/build/fail2ban.Dockerfile +++ b/build/fail2ban.Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.17 +FROM alpine:3.18 RUN apk add --no-cache --progress --quiet \ bash \