HiddenSSH is a platform focused on advanced OpenSSH security configurations and hardening guides.

What is included in the Bash tweaks page?

The Bash tweaks page offers prebuilt .bashrc files for MacOS, support for XQuartz and X11 over SSH, and aliases tailored for Trezor and other terminal workflows.

How does XQuartz integrate with Bash?

XQuartz requires specific environment variables and DISPLAY settings in your .bashrc to allow graphical apps over SSH sessions on MacOS.

Are there aliases for Trezor users?

Yes, the Trezor .bashrc setup includes helpful aliases to simplify command-line interaction with your device and related crypto utilities.

HiddenSSH - Secure OpenSSH Hardening

bash tweaks - Bourne-Again SHell

XQuartz and .bashrc

# This is needed if you are planing to run XQuertz on MacOSX in Zsh and X11 over SSH

##################################
# HiddenSSH/XQuartz
#
# XQuartz to normal terminal 
export DISPLAY=:0

MacOSX .bashrc

# MacOSX specific .bashrc

##################################
# MACOSX
#
alias cpuinfo='echo "CPU Frequency (MHz): $(sysctl -n hw.cpufrequency) \
\nCPU Model: $(sysctl -n machdep.cpu.brand_string) \
\nPhysical CPU Packages: $(sysctl -n hw.packages) \
\nLogical CPU Cores: $(sysctl -n hw.logicalcpu) \
\nPhysical CPU Cores: $(sysctl -n hw.physicalcpu)"'

# Function to display system information
sysinfo() {
    # Set variables for each of the outputs from uname command
    PROCESSOR_TYPE=$(/usr/bin/uname -p)
    MACHINE_HARDWARE_NAME=$(uname -m)
    KERNEL_RELEASE=$(uname -r)
    KERNEL_NAME=$(uname -s)
    KERNEL_VERSION=$(uname -v)
    NODE_NAME=$(uname -n)

    # Echo the variables
    echo "Processor Type: $PROCESSOR_TYPE"
    echo "Machine Hardware Name: $MACHINE_HARDWARE_NAME"
    echo "Kernel Release: $KERNEL_RELEASE"
    echo "Kernel Name: $KERNEL_NAME"
    echo "Kernel Version: $KERNEL_VERSION"
    echo "Node Name: $NODE_NAME"
}

# Firewall
alias firewall-show='echo "Location: /etc/pf.conf" && cat /etc/pf.conf'
alias firewall-restart="sudo pfctl -f /etc/pf.conf"

# Show Interfaces
showinterfacesinfo() {
    # Detect the operating system
    local OS=$(uname -s)

    # Display interface information based on the OS
    if [[ "$OS" == "Darwin" ]]; then
        # macOS commands
        local interfaces=($(ifconfig | grep '^[a-z]' | awk '{print $1}' | tr -d ':'))
        for intf in $interfaces; do
            local ip_and_mask=$(ifconfig $intf | grep 'inet ' | awk '{print $2, $4}')
            print "$intf: $ip_and_mask"
        done
    elif [[ "$OS" == "Linux" ]]; then
        # Linux commands
        local interfaces=($(ip -o link show | awk -F': ' '{print $2}' | tr -d '@'))
        for intf in $interfaces; do
            local ip_and_mask=$(ip -o -f inet addr show $intf | awk '{print $4}')
            print "$intf: $ip_and_mask"
        done
    else
        print "Unsupported operating system." >&2
    fi
}

Trezor .bashrc

# Aliases to make life easyer

##################################
# TREZOR
#
alias trezorconnected='trezorctl list'
alias remoteserver='trezor-agent -e ed25519 -c user@remote-server.hiddenssh.com'

Linux Hardening Script

# Add basic layer of security to Linux.

#!/bin/bash
set -e

ask() {
  read -rp "$1 (Y/n): " answer
  if [[ "$answer" != "Y" && "$answer" != "y" ]]; then
    exit 1
  fi
}

ask "[*] Apply process visibility and login file restrictions?"
chmod 600 /var/run/utmp && chown root:root /var/run/utmp
chmod 600 /var/log/wtmp && chown root:root /var/log/wtmp
chmod 600 /var/log/lastlog && chown root:root /var/log/lastlog
chmod 600 /var/log/btmp && chown root:root /var/log/btmp
if ! grep -q 'proc /proc proc' /etc/fstab; then
  echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
fi
mount -o remount /proc

ask "[*] Apply dmesg, ptrace restrictions?"
chattr -i /etc/sysctl.conf || true
sysctl -w kernel.dmesg_restrict=1
sysctl -w kernel.yama.ptrace_scope=2
echo "kernel.dmesg_restrict=1" >> /etc/sysctl.conf
echo "kernel.yama.ptrace_scope=2" >> /etc/sysctl.conf

ask "[*] Lock down /tmp and /dev/shm?"
if ! grep -q -E '^tmpfs\s+/tmp\s+tmpfs' /etc/fstab; then
  echo "tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
fi
if ! grep -q -E '^tmpfs\s+/dev/shm\s+tmpfs' /etc/fstab; then
  echo "tmpfs /dev/shm tmpfs defaults,noexec,nosuid,nodev 0 0" >> /etc/fstab
fi
systemctl daemon-reload
mount -o remount /tmp || echo "[!] /tmp remount failed"
mount -o remount /dev/shm || echo "[!] /dev/shm remount failed"

mkdir -p /var/run/screen
chmod 755 /var/run/screen
chown root:root /var/run/screen

if ! grep -q "defdir" /etc/screenrc 2>/dev/null; then
  echo "defdir \$HOME/tmp" >> /etc/screenrc
  echo "deflog on" >> /etc/screenrc
fi

for dir in /home/*; do
  if [ -d "$dir" ]; then
    mkdir -p "$dir/tmp"
    chmod 700 "$dir/tmp"
    chown $(basename "$dir"):$(basename "$dir") "$dir/tmp"
  fi
done

read -rp "[*] Block incoming ICMP echo requests (pings) via sysctl? (Y/n): " icmpblock
if [[ "$icmpblock" == "Y" || "$icmpblock" == "y" ]]; then
  sysctl -w net.ipv4.icmp_echo_ignore_all=1
  echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
fi

chmod 600 /proc/net/tcp || true
chmod 600 /proc/net/udp || true
chmod 600 /proc/net/raw || true
chmod 600 /proc/net/tcp6 || true
chmod 600 /proc/net/udp6 || true
chmod 600 /proc/net/raw6 || true

sysctl -p
chattr +i /etc/sysctl.conf
chattr +i /etc/fstab
echo "[-] Hardening complete."
# Distro: Hackertips.today - All Rights Lost (c) 2025