mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 01:21:07 +01:00
Adding a guide for hardening SSH server and client on Void Linux (This should also transfer to other distros such as Arch Linux).
parent
b0bb7ba5bb
commit
5802e69611
59
Void-Linux.md
Normal file
59
Void-Linux.md
Normal file
@ -0,0 +1,59 @@
|
||||
# Server
|
||||
> **Note**
|
||||
>
|
||||
> Instructions are based on the information from: https://ozgurkazancci.com/ssh-server-security-audit-hardening-freebsd/
|
||||
|
||||
Most of the commands in the server section must be run with root privileges.
|
||||
Always start by making sure the operating system and packages are updated.
|
||||
``` sh
|
||||
xbps-install -Syuv
|
||||
```
|
||||
|
||||
Regenerate host identification keys.
|
||||
``` sh
|
||||
rm ssh_host_*
|
||||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
||||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
||||
```
|
||||
After completing this step, the SSH client may give an error saying that the host identification key has changed and will not allow the connection to go through;
|
||||
this can be fixed by removing the SSH host from ~/.ssh/known_hosts.
|
||||
|
||||
Then generate SSH moduli:
|
||||
``` sh
|
||||
ssh-keygen -M generate -O bits=3072 moduli
|
||||
ssh-keygen -M screen -f moduli moduli-final
|
||||
mv moduli-final /usr/local/etc/ssh/
|
||||
```
|
||||
|
||||
Restart the SSH service:
|
||||
``` sh
|
||||
sv restart sshd
|
||||
```
|
||||
|
||||
Optionally check your server with `ssh-audit`:
|
||||
|
||||
``` sh
|
||||
sudo xbps-install -Sy ssh-audit
|
||||
ssh-audit localhost # Replace localhost with the IP address or domain name of the SSH server to be checked
|
||||
```
|
||||
Alternatively, if the SSH server is publicly accessible, it can be checked and scored on [sshaudit.com](https://www.sshaudit.com/).
|
||||
|
||||
# Client
|
||||
Hardening the SSH client is just as important as hardening the SSH server. Some attack vectors are left open if either the SSH server or client has not taken precautions to mitigate the vulnerability.
|
||||
Hardening the SSH client for the current user is as simple as running the following command:
|
||||
|
||||
``` sh
|
||||
printf "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config
|
||||
```
|
||||
|
||||
Optionally, use `ssh-audit` to check and make sure the client configuration is good:
|
||||
|
||||
``` sh
|
||||
sudo xbps-install -Sy ssh-audit
|
||||
ssh-audit -c
|
||||
```
|
||||
Open a new terminal and run:
|
||||
|
||||
``` sh
|
||||
ssh -p 2222 localhost
|
||||
```
|
Loading…
Reference in New Issue
Block a user