-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathConfigure-SFTP-Only.ps1
301 lines (229 loc) · 13.1 KB
/
Configure-SFTP-Only.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
# This script is used to set up an SFTP server on a Windows Server using OpenSSH
Function Test-Admin {
$CurrentUser = New-Object -TypeName Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
$CurrentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
} # End Function Test-Admin
If ((Test-Admin) -eq $False) {
If ($Elevated) {
Write-Output "[*] Tried to elevate, did not work, aborting"
} Else {
Start-Process -FilePath "C:\Windows\System32\powershell.exe" -Verb RunAs -ArgumentList ('-NoProfile -NoExit -File "{0}" -Elevated' -f ($myinvocation.MyCommand.Definition))
} # End Else
Exit
} # End If
$Logo = @"
╔═══╗░░╔╗░░░░░░░░░░░░╔═══╗░░░░░
║╔═╗║░░║║░░░░░░░░░░░░║╔═╗║░░░░░
║║░║╠══╣╚═╦══╦═╦═╗╔══╣╚═╝╠═╦══╗
║║░║║══╣╔╗║╔╗║╔╣╔╗╣║═╣╔══╣╔╣╔╗║
║╚═╝╠══║╚╝║╚╝║║║║║║║═╣║░░║║║╚╝║
╚═══╩══╩══╩══╩╝╚╝╚╩══╩╝░░╚╝╚══╝
===============================
If you can't beat `em tech `em!
===============================
https://osbornepro.com
EMAIL: [email protected]
"@
Write-Output "$Logo"
$Domain = (Get-CimInstance -ClassName Win32_ComputerSystem).Domain
$SFTPGroup = Read-Host -Prompt "Enter the name of the SFTP Security Group Allowing access to the SFTP Server. Do not include the domain. EXAMPLE: SFTP-Users"
Write-Output "[*] Creating the local group $SFTPGroup"
If (!(Get-LocalGroup -Name $SFTPGroup -ErrorAction SilentlyContinue)) {
New-LocalGroup -Description "Members of this group can access the SFTP server" -Name $SFTPGroup
} Else {
Write-Output "[!] Group $SFTPGroup already exists. Skipping its creation"
} # End Else
[array]$AddToGroup = Read-Host -Prompt "Define any users and groups you want to be able to access the SFTP server: EXAMPLE: domain.com\rosborne,administrator"
$AddToGroup = $AddToGroup.Split(",").Replace(" ","")
Add-LocalGroupMember -Group $SFTPGroup -Member $AddToGroup
$SFTPRootDir = Read-Host -Prompt "Where should your SFTP directory be created or exist at? EXAMPLE: C:\SFTP"
Write-Output "[*] Creating $SFTPRootDir if it does not already exist"
New-Item -Path $SFTPRootDir -ItemType Directory -Force -ErrorAction SilentlyContinue | Out-Null
$SFTPRootDir = $SFTPRootDir.Replace("\","\\")
Write-Output "[*] Setting the permissions on $SFTPRootDir"
$LocalAccount = New-Object -TypeName System.Security.Principal.NTAccount("$SFTPGroup")
$SystemAccount = New-Object -TypeName System.Security.Principal.NTAccount("SYSTEM")
$AdminAccount = New-Object -TypeName System.Security.Principal.NTAccount("Administrators")
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
$InheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$ObjType = [System.Security.AccessControl.AccessControlType]::Allow
Write-Output "[*] Defining the owner as the built-in Administrators group"
$ObjAce1 = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($LocalAccount, $Rights, $InheritanceFlag, $PropagationFlag, $ObjType)
$ACL = Get-Acl -Path $SFTPRootDir
$Acl.SetOwner($AdminAccount)
$Acl.AddAccessRule($ObjAce1)
$Acl.SetAccessRuleProtection($True, $False)
Set-Acl -Path $SFTPRootDir -AclObject $ACL
$ACL.SetAccessRule($ObjAce1)
Write-Output "[*] Adding SYSTEM privileges to $($SFTPRootDir)"
$ObjAce2 = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($SystemAccount, $Rights, $InheritanceFlag, $PropagationFlag, $ObjType)
$ACL.SetAccessRule($ObjAce2)
Set-Acl -Path $SFTPRootDir -AclObject $ACL
Write-Output "[*] Adding $($SFTPGroup) group privileges to $($SFTPRootDir)"
$ObjAce3 = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule($AdminAccount, $Rights, $InheritanceFlag, $PropagationFlag, $ObjType)
$ACL.SetAccessRule($ObjAce3)
Set-Acl -Path $SFTPRootDir -AclObject $ACL
Write-Output "[*] Installing OpenSSH client and server"
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Write-Output "[*] Enabling sshd service to start automatically"
Set-Service -Name sshd -StartupType Automatic
Set-Service -Name ssh-agent -StartupType Automatic
Start-Service -Name sshd,ssh-agent
Write-Output "[*] Creating firewall rule Allow SFTP Connections"
New-NetFirewallRule -Name sshd -DisplayName 'Allow SFTP Connections' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 -Program "C:\Windows\System32\OpenSSH\sshd.exe"
Write-Output "[*] Host keys are below"
Get-ChildItem -Path "$env:ProgramData\ssh\ssh_host_*_key" | ForEach-Object { . "$env:WINDIR\System32\OpenSSH\ssh-keygen.exe" -l -f $_ }
Write-Output "[*] Backing up original config file"
Move-Item -Path "C:\ProgramData\ssh\sshd_config" -Destination "C:\ProgramData\ssh\sshd_config.orig" -Force
Write-Output "[*] Creating the SFTP Configuration file"
$Contents = @"
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
#ListenAddress ::
# Ciphers and keying
HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key
# File locations to save the servers private host keys
RekeyLimit default none
# Specifies the number of times a users SSH private key can be different when signing in. If you are good about never rekeying SSH certificates this is a strong security setting to have
# This limit also refers to the rotation of sessoin keys. The more often a session key is rotated can help prevent any kind of decryption from being performed
# Specifies the ciphers allowed for SSH protocol version 2. CBC has a flaw in its algorithm and can be decrypted. Do not use the CBC block chain.
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
# Specifies the encryptions to use for key exchange.
# A symmetric key is required in order to start a key exchange. Keys are not actually exchanged. Public variables are combined with Private variables to create a key and begin initial secure communication
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
# What SSH algorithms should be used for integrity checks
# Logging
SyslogFacility USER # Debian
#SyslogFacility AUTHPRIV # RHEL, CentOS
LogLevel INFO
# Authentication:
LoginGraceTime 20
# How long in seconds after a connection request the server waits before disconnecting if a user has not successfully logged in
PermitRootLogin no
# This settings allows or prevents the root user from using SSH to sign into a machine via password or public key. Sudo users can still elevate privilege
MaxAuthTries 3
# Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6
MaxSessions 6
# Specifies the maximum number of open sessions permitted per network connection. The default is 10.
#============================================================
# PREFERRED METHOD HOWEVER WINDOWS DOES NOT SEEM TO LIKE IT
#============================================================
#PubkeyAuthentication yes
PubkeyAuthentication no
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile .ssh/authorized_keys # Debian
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys.%u # RHEL
# To disable tunneled clear text passwords, change to no here!
#=====================================================
# USE KEY AUTHENTICATION INSTEAD WHEN POSSIBLE
#=====================================================
#PasswordAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
ChallengeResponseAuthentication no # Debian
#ChallengeResponseAuthentication yes # RHEL, CentOS
AllowGroups $($SFTPGroup)
# Defines a group a user is required to be a member of in order to be allowed SSH access
# AllowUsers tobor rob chris tom
# Allow users can be used instead of Allow groups if desired
#DenyGroups
# Deny Groups and users can also be defined as well. Typically it is easier to make a whitelist by adding allowed users to a group
#DenyUsers
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
PermitTTY yes
PrintMotd yes
# Great for printing a welcome message after authenticating to the server
TCPKeepAlive no
# I turn this off and use Client Keep Alive's instead
# Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one of the machines will be properly noticed
# However, this means that connections will die if the route is down temporarily, and some people find it annoying.
# On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on the server, leaving ''ghost'' users and consuming server resources. I use Client Keep Alives instead
ClientAliveInterval 15
# Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client.
# The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
ClientAliveCountMax 3
# Sets the number of client alive messages from setting above which may be sent without sshd receiving any messages back from the client.
UseDNS no
# Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ''yes''.
# I change this to no because the option is basically useless
MaxStartups 10:30:100
# Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds
# start:rate:full
# sshd will refuse connection attempts with a probability of `rate/100'' (30%) if there are currently `start'' (10) unauthenticated connections.
# The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches `full'' (60).
ChrootDirectory $($SFTPRootDir)
# Specifies a path to chroot to after authentication. This path, and all its components, must be root-owned directories that are not writable by any other user or group.
# After the chroot, sshd changes the working directory to the user's home directory.
VersionAddendum none
# no default banner path
#Banner /etc/issue
ForceCommand internal-sftp
# override default of no subsystems
#Subsystem sftp sftp-server.exe # Original value
Subsystem sftp internal-sftp
Match group $($SFTPGroup)
ChrootDirectory $($SFTPRootDir)
AllowTcpForwarding no
ForceCommand internal-sftp
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
############################################################################################################
# Unapplicable Settings for Windows
############################################################################################################
#AcceptEnv
#AllowStreamLocalForwarding
#AuthorizedKeysCommand
#AuthorizedKeysCommandUser
#AuthorizedPrincipalsCommand
#AuthorizedPrincipalsCommandUser
#Compression
#ExposeAuthInfo
#GSSAPIAuthentication
#GSSAPICleanupCredentials
#GSSAPIStrictAcceptorCheck
#HostbasedAcceptedKeyTypes
#HostbasedAuthentication
#HostbasedUsesNameFromPacketOnly
#IgnoreRhosts
#IgnoreUserKnownHosts
#KbdInteractiveAuthentication
#KerberosAuthentication
#KerberosGetAFSToken
#KerberosOrLocalPasswd
#KerberosTicketCleanup
#PermitTunnel
#PermitUserEnvironment
#PermitUserRC
#idFile
#PrintLastLog
#RDomain
#StreamLocalBindMask
#StreamLocalBindUnlink
#StrictModes
#X11DisplayOffset
#X11Forwarding
#X11UseLocalhost
#XAuthLocation
"@
New-Item -Path "C:\ProgramData\ssh" -Name "sshd_config" -ItemType File -Force -Value $Contents | Out-Null
Write-Output "[*] Backing up the newly set configuration file"
Copy-Item -Path "C:\ProgramData\ssh\sshd_config" -Destination "C:\ProgramData\ssh\sshd_config.bak" -Force
Write-Output "[*] Restarting the sshd service to apply changes"
Restart-Service -Name sshd