Custom settings for SSH connections (IPv4 + IPv6 + allowed IPs)

[Bronislawsky]

I am still too unexperimented to fork and submit work. I have a few codes suggestions

• Possibility to enable / disable SSH _PORT on ipv4 and/or ipv6
• Possibility to restrain which IPs are allowed to ssh / sftp
• Letting ufw generate user.rules and user6.rules by itself to prevent faulty rules

The code seems to work fine though a review is highly recommenced.

ss-config

SSH_ALLOW_IPV4="true"
SSH_ALLOW_IPV6="false"

SSH_IPV4_LIST=""
SSH_IPV6_LIST=""

ss-install

####################################################################################################
#### SS-Install: Configure UFW Firewall + Set UFW Rules ############################################
####################################################################################################

## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*

## install ufw ##
apt install ufw

## ufw force disable in case something goes wrong ? ##
ufw --force disable

# Getting rid of possible faulty rules
echo '' > /etc/ufw/user.rules
echo '' > /etc/ufw/user6.rules

# Deny all incoming
ufw default deny incoming

# Allow all outgoing
ufw default allow outgoing

# Allow http
ufw allow http

# Allow https
ufw allow https

# SSH ipv4 allowed ?
if [[ "${SSH_ALLOW_IPV4}" == "true" ]]; then

  if [[ -z "${SSH_IPV4_LIST}" ]]; then
    ufw allow proto tcp to 0.0.0.0/0 port $SSH_PORT
  else

    for sship in ${SSH_IPV4_LIST}
    do
      ufw allow from $sship to any port $SSH_PORT
    done

  fi

fi

# SSH ipv6 allowed ?
if [[ "${SSH_ALLOW_IPV6}" == "true" ]]; then

  if [[ -z "${SSH_IPV6_LIST}" ]]; then
    ufw allow proto tcp from ::/0 to any port $SSH_PORT
  else
    for sship in ${SSH_IPV6_LIST}
    do
      ufw allow proto tcp from $sship to any port $SSH_PORT
    done
  fi

fi

# retrieve latest versions ##
wget -O /tmp/ufw http://http://mirrors.slickstack.io//ufw-firewall/ufw.txt
wget -O /tmp/ufw.conf http://http://mirrors.slickstack.io//ufw-firewall/ufw-conf.txt

## copy files to their destinations ##
cp /tmp/ufw /etc/default/ufw
cp /tmp/ufw.conf /etc/ufw/ufw.conf

## reset permissions ##
chown root:root /etc/default/ufw
chown root:root /etc/ufw/ufw.conf
chmod 0664 /etc/default/ufw
chmod 0664 /etc/ufw/ufw.conf

## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*

# Restart ufw
service ufw restart
ufw --force reload
ufw --force enable

ss-update

####################################################################################################
#### SS-Update: Configure UFW Firewall + Set UFW Rules (In Case Apt Overwrites UFW Files) ##########
####################################################################################################

## at least one case reported where ss-update resulted in UFW config being overwritten ##
## therefore we include this reinstallation of UFW to ensure no port lockouts ##

## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*

## install UFW firewall ##
apt install ufw

# Getting rid of possible faulty rules
echo '' > /etc/ufw/user.rules
echo '' > /etc/ufw/user6.rules

# Deny all incoming
ufw default deny incoming

# Allow all outgoing
ufw default allow outgoing

# Allow http
ufw allow http

# Allow https
ufw allow https

# SSH ipv4 allowed ?
if [[ "${SSH_ALLOW_IPV4}" == "true" ]]; then

  if [[ -z "${SSH_IPV4_LIST}" ]]; then
    ufw allow proto tcp to 0.0.0.0/0 port $SSH_PORT
  else

    for sship in ${SSH_IPV4_LIST}
    do
      ufw allow from $sship to any port $SSH_PORT
    done

  fi

fi


# SSH ipv6 allowed ?
if [[ "${SSH_ALLOW_IPV6}" == "true" ]]; then

  if [[ -z "${SSH_IPV6_LIST}" ]]; then
    ufw allow proto tcp from ::/0 to any port $SSH_PORT
  else
    for sship in ${SSH_IPV6_LIST}
    do
      ufw allow proto tcp from $sship to any port $SSH_PORT
    done
  fi

fi



# retrieve latest versions ##
wget -O /tmp/ufw http://mirrors.slickstack.io/ufw-firewall/ufw.txt
wget -O /tmp/ufw.conf http://mirrors.slickstack.io/ufw-firewall/ufw-conf.txt

## copy files to their destinations ##
cp /tmp/ufw /etc/default/ufw
cp /tmp/ufw.conf /etc/ufw/ufw.conf

## reset permissions ##
chown root:root /etc/default/ufw
chown root:root /etc/ufw/ufw.conf
chmod 0664 /etc/default/ufw
chmod 0664 /etc/ufw/ufw.conf

## delete tmp files ##
rm /tmp/ufw*
rm /tmp/user*

# Restart ufw
service ufw restart
ufw --force reload
ufw --force enable

[jessuppi]

Embracing the "decisions, not options" mantra we've tried to avoid having too many options esp. as related to logging and networking, to establish certain norms. I'm not sure I'd support allowing too many SSH config customizations to ensure stability, esp. when IPv4 is much better/faster when it comes to dealing with SSH performance.

I think SlickStack can attract a lot of power users who have dabbled in Bash but are mostly frontend designers and developers if we keep certain settings hardcoded.

That said, I'll keep this issue open. Again please use clear Issue topics, you have mixed together several different topics here which makes it difficult to address (and others to find). All the UFW related stuff should probably be in the existing topic, or a new topic perhaps.

[jessuppi]

Sorry, I see what you mean re: UFW integrating a possible "allowed IPs" list for SSH port now, but I think this would probably introduce tons of confusion to typical users and possible conflicts with accessing servers after they have run the ss-install the first time.

[jessuppi]

Perhaps in the meanwhile, we need a failsafe for super cheap VMs that don't support IPv4:

## allow IPv6 SSH sessions (any) if no IPv4 address is detected on the server ##

https://github.com/littlebizzy/slickstack/blob/master/ss-install.txt#L184

Not active yet, needs some research and testing...

[jessuppi]

You can ignore some of my previous responses, here are some updates to these requests:

SSH is going to remain IPv4-only for now in SlickStack for performance and stability reasons... perhaps this feature can be addressed in the future with a new GitHub Issue.

Port 22
AddressFamily inet
ListenAddress 0.0.0.0
# ListenAddress ::

Ref: https://github.com/littlebizzy/slickstack/blob/master/modules/ubuntu/22.04/sshd-config.txt

However, we did recently add the ability for users to only allow sudo SSH sessions from specified IP address they can fill during the setup wizard, this becomes the SSH_IPV4 option in ss-config:

Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-config-sample.txt

This is the relevant line from sshd_config:

AllowUsers @SUDO_USER@SSH_IPV4 @SFTP_USER

So currently it supports only a single IP address... we can consider extending this, with a new GitHub Issue. Also, the IP restriction does not apply to SFTP users since we envision SFTP being used by freelancers, web designers, and even third party applications such as CodeGuard backups and such, meaning restriction would cause problems.

As far as UFW, there are several other Issues about that so best to discuss elsewhere, but we have improved the stability of the boilerplates and configuration of UFW in the past several months.

If any related requests on these subjects, probably best to open a new Issue since this one is too mixed. Thanks!