Useful Software und SSH-Hardening: Unterschied zwischen den Seiten
(Unterschied zwischen Seiten)
Keine Bearbeitungszusammenfassung |
Keine Bearbeitungszusammenfassung |
||
Zeile 1: | Zeile 1: | ||
Based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs) | |||
=== Server configuration === | |||
Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom: | |||
<pre> | |||
# SSH hardening, see https://wiki.fsinf.at/wiki/SSH-Hardening | |||
# Disable SSHv1 | |||
Protocol 2 | |||
# Only allow Public Key Authentication | |||
PubkeyAuthentication yes | |||
PasswordAuthentication no | |||
ChallengeResponseAuthentication no | |||
# Only allow users in the "users" group (no system users!). | |||
# NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to | |||
# automatically add new non-system users to a group. | |||
AllowGroups users | |||
# Don't forget to remove HostKey directives above | |||
HostKey /etc/ssh/ssh_host_rsa_key | |||
HostKey /etc/ssh/ssh_host_ed25519_key | |||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |||
</pre> | |||
... and execute: | |||
cd /etc/ssh/ | |||
rm ssh_host_* | |||
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" | |||
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" | |||
===== restart server ===== | |||
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong: | |||
systemctl restart sshd | |||
== | === Client configuration === | ||
On top of your <code>~/.ssh/config</code>, add: | |||
== | Host * | ||
* | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 | ||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr | |||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | |||
Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care). | |||
If possible, you can also regenerate your own SSH keys: | |||
ssh-keygen -t ed25519 -o -a 100 | |||
ssh-keygen -t rsa -b 4096 -o -a 100 | |||
'''WARNING:''' This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out. | |||
=== Sources === | |||
* https://cipherli.st/ | |||
* '''old, from 2015:''' https://stribika.github.io/2015/01/04/secure-secure-shell.html | |||
[[Kategorie:FOSS]] | |||
[[Kategorie:Linux]] |
Aktuelle Version vom 7. Februar 2023, 19:47 Uhr
Based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
Server configuration[Bearbeiten | Quelltext bearbeiten]
Remove all HostKey
directives in /etc/ssh/sshd_config
, then append at the bottom:
# SSH hardening, see https://wiki.fsinf.at/wiki/SSH-Hardening # Disable SSHv1 Protocol 2 # Only allow Public Key Authentication PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no # Only allow users in the "users" group (no system users!). # NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to # automatically add new non-system users to a group. AllowGroups users # Don't forget to remove HostKey directives above HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
... and execute:
cd /etc/ssh/ rm ssh_host_* ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
restart server[Bearbeiten | Quelltext bearbeiten]
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:
systemctl restart sshd
Client configuration[Bearbeiten | Quelltext bearbeiten]
On top of your ~/.ssh/config
, add:
Host * KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).
If possible, you can also regenerate your own SSH keys:
ssh-keygen -t ed25519 -o -a 100 ssh-keygen -t rsa -b 4096 -o -a 100
WARNING: This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.