https://wiki.fsinf.at/index.php?action=history&feed=atom&title=SSH-HardeningSSH-Hardening - Versionsgeschichte2026-05-10T17:34:25ZVersionsgeschichte dieser Seite in WikiMediaWiki 1.40.1https://wiki.fsinf.at/index.php?title=SSH-Hardening&diff=1345&oldid=prevSomeone am 7. Februar 2023 um 17:47 Uhr2023-02-07T17:47:51Z<p></p>
<p><b>Neue Seite</b></p><div>Based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)<br />
<br />
=== Server configuration ===<br />
<br />
Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom:<br />
<br />
<pre><br />
# SSH hardening, see https://wiki.fsinf.at/wiki/SSH-Hardening<br />
<br />
# Disable SSHv1<br />
Protocol 2<br />
<br />
# Only allow Public Key Authentication<br />
PubkeyAuthentication yes<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no<br />
<br />
# Only allow users in the "users" group (no system users!).<br />
# NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to <br />
# automatically add new non-system users to a group.<br />
AllowGroups users<br />
<br />
# Don't forget to remove HostKey directives above<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
HostKey /etc/ssh/ssh_host_ed25519_key<br />
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256<br />
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr<br />
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com<br />
</pre><br />
<br />
... and execute:<br />
<br />
cd /etc/ssh/<br />
rm ssh_host_*<br />
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""<br />
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""<br />
<br />
===== restart server =====<br />
<br />
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:<br />
<br />
systemctl restart sshd<br />
<br />
=== Client configuration ===<br />
<br />
On top of your <code>~/.ssh/config</code>, add:<br />
<br />
Host *<br />
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1<br />
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr<br />
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160<br />
<br />
Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).<br />
<br />
If possible, you can also regenerate your own SSH keys:<br />
<br />
ssh-keygen -t ed25519 -o -a 100<br />
ssh-keygen -t rsa -b 4096 -o -a 100<br />
<br />
'''WARNING:''' This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.<br />
<br />
=== Sources ===<br />
* https://cipherli.st/<br />
* '''old, from 2015:''' https://stribika.github.io/2015/01/04/secure-secure-shell.html<br />
<br />
[[Kategorie:FOSS]]<br />
[[Kategorie:Linux]]</div>Someone