mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-22 22:15:22 +01:00
print config v2
- printconfig script - test_printconfig for tox testing - update globals for GUIDES_UPDATED date value - update ssh_audit for print_config argument and checks
This commit is contained in:
parent
a01baadfa8
commit
9814d18baf
@ -38,3 +38,6 @@ SNAP_PACKAGE = False
|
|||||||
|
|
||||||
# Error message when installed as a Snap package and a file access fails.
|
# Error message when installed as a Snap package and a file access fails.
|
||||||
SNAP_PERMISSIONS_ERROR = 'Error while accessing file. It appears that ssh-audit was installed as a Snap package. In that case, there are two options: 1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"'
|
SNAP_PERMISSIONS_ERROR = 'Error while accessing file. It appears that ssh-audit was installed as a Snap package. In that case, there are two options: 1.) only try to read & write files in the $HOME/snap/ssh-audit/common/ directory, or 2.) grant permissions to read & write files in $HOME using the following command: "sudo snap connect ssh-audit:home :home"'
|
||||||
|
|
||||||
|
# Last update to Hardening Guides
|
||||||
|
GUIDES_UPDATED = "2024-10-01"
|
||||||
|
375
src/ssh_audit/printconfig.py
Normal file
375
src/ssh_audit/printconfig.py
Normal file
@ -0,0 +1,375 @@
|
|||||||
|
import sys
|
||||||
|
|
||||||
|
from ssh_audit import exitcodes
|
||||||
|
from ssh_audit.globals import VERSION
|
||||||
|
from ssh_audit.globals import GUIDES_UPDATED
|
||||||
|
|
||||||
|
|
||||||
|
class PrintConfig:
|
||||||
|
def __init__(self, os_type: str, os_ver: str, clientserver: str) -> None:
|
||||||
|
self.os_type = os_type
|
||||||
|
self.os_ver = os_ver
|
||||||
|
self.clientserver = clientserver
|
||||||
|
|
||||||
|
self.Get_Config()
|
||||||
|
|
||||||
|
def Get_Config(self) -> None:
|
||||||
|
retval = exitcodes.GOOD
|
||||||
|
|
||||||
|
os_type = self.os_type
|
||||||
|
os_ver = self.os_ver
|
||||||
|
clientserver = self.clientserver
|
||||||
|
|
||||||
|
supported_os = ["Amazon", "Debian", "Mint", "Rocky", "Ubuntu"]
|
||||||
|
supported_edition = ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye"]
|
||||||
|
if clientserver not in ["Server", "Client"] or os_type not in supported_os and os_ver not in supported_edition:
|
||||||
|
PrintConfig.unknown_varient(os_type, os_ver, clientserver)
|
||||||
|
sys.exit(retval)
|
||||||
|
else:
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mSSH-Audit Version : {VERSION}\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mBGuides Last modified : {GUIDES_UPDATED}\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mLocating configuration for {os_type} {os_ver} - {clientserver}\033[0m")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
|
||||||
|
# Server Configs
|
||||||
|
if clientserver in ["Server"]:
|
||||||
|
# Amazon Linux
|
||||||
|
if os_type in ["Amazon"] and os_ver in ["2023"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.amazon_server_2023()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Debian
|
||||||
|
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.bookworm_server()
|
||||||
|
PrintConfig.debian_ubuntu_rate_throttling()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Debian"] and os_ver in ["Bullseye"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.bullseye_server()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Rocky Linux
|
||||||
|
elif os_type in ["Rocky"] and os_ver in ["9"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.rocky_9_server()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Ubuntu
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.ubuntu_server_2404()
|
||||||
|
PrintConfig.debian_ubuntu_rate_throttling()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.ubuntu_server_2204()
|
||||||
|
PrintConfig.debian_ubuntu_rate_throttling()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
|
||||||
|
PrintConfig.server_modern_common()
|
||||||
|
PrintConfig.ubuntu_server_2004()
|
||||||
|
PrintConfig.debian_ubuntu_rate_throttling()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["1804"]:
|
||||||
|
PrintConfig.server_legacy_common()
|
||||||
|
PrintConfig.ubuntu_server_1804()
|
||||||
|
sys.exit(retval)
|
||||||
|
else:
|
||||||
|
PrintConfig.unknown_varient(os_type, os_ver, clientserver)
|
||||||
|
sys.exit(retval)
|
||||||
|
|
||||||
|
|
||||||
|
# Client Configs
|
||||||
|
if clientserver in ["Client"]:
|
||||||
|
# Amazon
|
||||||
|
if os_type in ["Amazon"] and os_ver in ["2023"]:
|
||||||
|
PrintConfig.amazon_2023_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Debian
|
||||||
|
elif os_type in ["Debian"] and os_ver in ["Bookworm"]:
|
||||||
|
PrintConfig.debian_bookworm_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Mint
|
||||||
|
elif os_type in ["Mint"] and os_ver in ["22"]:
|
||||||
|
PrintConfig.ubuntu_2404_mint_22_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Mint"] and os_ver in ["21"]:
|
||||||
|
PrintConfig.ubuntu_2204_mint_21_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Mint"] and os_ver in ["20"]:
|
||||||
|
PrintConfig.ubuntu_2004_mint_20_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Rocky
|
||||||
|
elif os_type in ["Rocky"] and os_ver in ["9"]:
|
||||||
|
PrintConfig.rocky_9_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
# Ubuntu
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2404"]:
|
||||||
|
PrintConfig.ubuntu_2404_mint_22_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2204"]:
|
||||||
|
PrintConfig.ubuntu_2204_mint_21_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
elif os_type in ["Ubuntu"] and os_ver in ["2004"]:
|
||||||
|
PrintConfig.ubuntu_2004_mint_20_client()
|
||||||
|
sys.exit(retval)
|
||||||
|
else:
|
||||||
|
PrintConfig.unknown_varient(os_type, os_ver, clientserver)
|
||||||
|
sys.exit(retval)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def unknown_varient(os_type: str, os_ver: str, clientserver: str) -> None:
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mSSH-Audit Version : {VERSION}\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mGuides Last modified : {GUIDES_UPDATED}\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(f"\033[1mError unknown varient : {os_type} {os_ver} {clientserver} \033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("For current, community developed and legacy guides")
|
||||||
|
print("check the website : https://www.ssh-audit.com/hardening_guides.html")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mSupported Server Configurations : \033[0m")
|
||||||
|
print(r"Amazon 2023 Server")
|
||||||
|
print(r"Debian Bookworm Server")
|
||||||
|
print(r"Debian Bullseye Server")
|
||||||
|
print(r"Rocky 9 Server")
|
||||||
|
print(r"Ubuntu 2404 Server")
|
||||||
|
print(r"Ubuntu 2204 Server")
|
||||||
|
print(r"Ubuntu 2004 Server")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mSupported Client Configurations : \033[0m")
|
||||||
|
print(r"Amazon 2023 Client")
|
||||||
|
print(r"Debian Bookworm Client")
|
||||||
|
print(r"Mint 22 Client")
|
||||||
|
print(r"Mint 21 Client")
|
||||||
|
print(r"Mint 20 Client")
|
||||||
|
print(r"Rocky 9 Client")
|
||||||
|
print(r"Ubuntu 2404 Client")
|
||||||
|
print(r"Ubuntu 2204 Client")
|
||||||
|
print(r"Ubuntu 2004 Client")
|
||||||
|
|
||||||
|
|
||||||
|
# Client Configurations
|
||||||
|
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def amazon_2023_client() -> None:
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,gss-group16-sha512-,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def debian_bookworm_client() -> None:
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,gss-group16-sha512-,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n RequiredRSASize 3072\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def rocky_9_client() -> None:
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,gss-group16-sha512-,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n RequiredRSASize 3072\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_2404_mint_22_client() -> None:
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\n MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\n RequiredRSASize 3072\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_2204_mint_21_client() -> None:
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,gss-group16-sha512-,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_2004_mint_20_client() -> None:
|
||||||
|
print("\033[1mRun the following in a terminal to harden the SSH client for the local user:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config')
|
||||||
|
|
||||||
|
|
||||||
|
# Server Configurations
|
||||||
|
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def server_modern_common() -> None:
|
||||||
|
print("\033[1mRe-generate the ED25519 and RSA keys\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("rm /etc/ssh/ssh_host_*")
|
||||||
|
print(r'ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""')
|
||||||
|
print(r'ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRemove small Diffie-Hellman moduli\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r"awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe")
|
||||||
|
print("mv /etc/ssh/moduli.safe /etc/ssh/moduli")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mEnable the ED25519 and RSA keys\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("Enable the ED25519 and RSA HostKey directives in the /etc/ssh/sshd_config file:")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config')
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def server_legacy_common() -> None:
|
||||||
|
print("\033[1mRe-generate the ED25519 and RSA keys\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r"rm /etc/ssh/ssh_host_*")
|
||||||
|
print(r'ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""')
|
||||||
|
print(r'ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRemove small Diffie-Hellman moduli\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r"awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe")
|
||||||
|
print("mv /etc/ssh/moduli.safe /etc/ssh/moduli")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mDisable the DSA and ECDSA host keys\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("Comment out the DSA and ECDSA HostKey directives in the /etc/ssh/sshd_config file:")
|
||||||
|
print(" ")
|
||||||
|
print(r"sed -i 's/^HostKey \/etc\/ssh\/ssh_host_\(dsa\|ecdsa\)_key$/\#HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def debian_ubuntu_rate_throttling() -> None:
|
||||||
|
print("\033[1mImplement connection rate throttling\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print("ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mEnable persistence of the iptables rules across server reboots: \033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("DEBIAN_FRONTEND=noninteractive apt install -q -y netfilter-persistent iptables-persistent service netfilter-persistent save")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_server_2404() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\nRequiredRSASize 3072\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_server_2204() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_server_2004() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\nRequiredRSASize 3072\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def ubuntu_server_1804() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com" >> /etc/ssh/sshd_config')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def bookworm_server() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\nRequiredRSASize 3072\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def bullseye_server() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("service ssh restart")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def rocky_9_server() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nRequiredRSASize 3072\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n" > /etc/crypto-policies/back-ends/opensshserver.config')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("systemctl restart sshd")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mImplement connection rate throttling\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print("firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mReload firewalld to enable new rules:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("systemctl reload firewalld")
|
||||||
|
print(" ")
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def amazon_server_2023() -> None:
|
||||||
|
print("\033[1mRestrict supported key exchange, cipher, and MAC algorithms\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print(r'echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n" > /etc/crypto-policies/back-ends/opensshserver.config')
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mRestart OpenSSH server\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("systemctl restart sshd")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mImplement connection rate throttling\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("dnf install -y iptables")
|
||||||
|
print("iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print("ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set")
|
||||||
|
print("ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP")
|
||||||
|
print(" ")
|
||||||
|
print("\033[1mEnable persistence of the iptables rules across server reboots:\033[0m")
|
||||||
|
print(" ")
|
||||||
|
print("dnf install -y iptables-services")
|
||||||
|
print("iptables-save > /etc/sysconfig/iptables")
|
||||||
|
print("ip6tables-save > /etc/sysconfig/ip6tables")
|
||||||
|
print("systemctl enable iptables")
|
||||||
|
print("systemctl enable ip6tables")
|
||||||
|
print("systemctl start iptables")
|
||||||
|
print("systemctl start ip6tables")
|
||||||
|
print(" ")
|
@ -53,6 +53,7 @@ from ssh_audit.gextest import GEXTest
|
|||||||
from ssh_audit.hostkeytest import HostKeyTest
|
from ssh_audit.hostkeytest import HostKeyTest
|
||||||
from ssh_audit.outputbuffer import OutputBuffer
|
from ssh_audit.outputbuffer import OutputBuffer
|
||||||
from ssh_audit.policy import Policy
|
from ssh_audit.policy import Policy
|
||||||
|
from ssh_audit.printconfig import PrintConfig
|
||||||
from ssh_audit.product import Product
|
from ssh_audit.product import Product
|
||||||
from ssh_audit.protocol import Protocol
|
from ssh_audit.protocol import Protocol
|
||||||
from ssh_audit.software import Software
|
from ssh_audit.software import Software
|
||||||
@ -816,7 +817,10 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
|
|||||||
parser.add_argument("--skip-rate-test", action="store_true", dest="skip_rate_test", default=False, help="skip the connection rate test during standard audits (used to safely infer whether the DHEat attack is viable)")
|
parser.add_argument("--skip-rate-test", action="store_true", dest="skip_rate_test", default=False, help="skip the connection rate test during standard audits (used to safely infer whether the DHEat attack is viable)")
|
||||||
parser.add_argument("--threads", action="store", dest="threads", metavar="N", type=int, default=32, help="number of threads to use when scanning multiple targets (-T/--targets) (default: %(default)s)")
|
parser.add_argument("--threads", action="store", dest="threads", metavar="N", type=int, default=32, help="number of threads to use when scanning multiple targets (-T/--targets) (default: %(default)s)")
|
||||||
|
|
||||||
# The mandatory target option. Or rather, mandatory when -L, -T, or --lookup are not used.
|
# Print Suggested Configurations from : https://www.ssh-audit.com/hardening_guides.html
|
||||||
|
parser.add_argument("--print-config", nargs="*", action="append", metavar="OS Ver Client/Server", dest="print_configuration", type=str, default=None, help="print suggested server or client configurations. Usage Example : Ubuntu 2404 Server")
|
||||||
|
|
||||||
|
# The mandatory target option. Or rather, mandatory when -L, -T, --lookup or --print-config are not used.
|
||||||
parser.add_argument("host", nargs="?", action="store", type=str, default="", help="target hostname or IPv4/IPv6 address")
|
parser.add_argument("host", nargs="?", action="store", type=str, default="", help="target hostname or IPv4/IPv6 address")
|
||||||
|
|
||||||
# If no arguments were given, print the help and exit.
|
# If no arguments were given, print the help and exit.
|
||||||
@ -828,6 +832,23 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
|
|||||||
try:
|
try:
|
||||||
argument = parser.parse_args(args=args)
|
argument = parser.parse_args(args=args)
|
||||||
|
|
||||||
|
if argument.print_configuration is not None:
|
||||||
|
print_conf = (getattr(argument, 'print_configuration'))[0]
|
||||||
|
if len(print_conf) <= 2:
|
||||||
|
print_conf = "OS Version Edition"
|
||||||
|
print_conf = print_conf.split(" ")
|
||||||
|
os_type = print_conf[0]
|
||||||
|
os_ver = print_conf[1]
|
||||||
|
clientserver = print_conf[2]
|
||||||
|
else:
|
||||||
|
print_conf = (getattr(argument, 'print_configuration'))[0]
|
||||||
|
os_type = print_conf[0]
|
||||||
|
os_ver = print_conf[1]
|
||||||
|
clientserver = print_conf[2]
|
||||||
|
|
||||||
|
PrintConfig(os_type, os_ver, clientserver)
|
||||||
|
|
||||||
|
|
||||||
# Set simple flags.
|
# Set simple flags.
|
||||||
aconf.client_audit = argument.client_audit
|
aconf.client_audit = argument.client_audit
|
||||||
aconf.ipv4 = argument.ipv4
|
aconf.ipv4 = argument.ipv4
|
||||||
@ -915,8 +936,8 @@ def process_commandline(out: OutputBuffer, args: List[str]) -> 'AuditConf': # p
|
|||||||
parser.print_help()
|
parser.print_help()
|
||||||
sys.exit(exitcodes.UNKNOWN_ERROR)
|
sys.exit(exitcodes.UNKNOWN_ERROR)
|
||||||
|
|
||||||
if argument.host == "" and argument.client_audit is False and argument.targets is None and argument.list_policies is False and argument.lookup is None and argument.manual is False:
|
if argument.host == "" and argument.client_audit is False and argument.targets is None and argument.list_policies is False and argument.lookup is None and argument.manual is False and argument.print_configuration is None:
|
||||||
out.fail("target host must be specified, unless -c, -m, -L, -T, or --lookup are used", write_now=True)
|
out.fail("target host must be specified, unless -c, -m, -L, -T, --lookup or --print-configuration are used", write_now=True)
|
||||||
sys.exit(exitcodes.UNKNOWN_ERROR)
|
sys.exit(exitcodes.UNKNOWN_ERROR)
|
||||||
|
|
||||||
if aconf.manual:
|
if aconf.manual:
|
||||||
|
38
test/test_printconfig.py
Normal file
38
test/test_printconfig.py
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
import pytest
|
||||||
|
from ssh_audit.ssh_audit import process_commandline
|
||||||
|
|
||||||
|
|
||||||
|
# pylint: disable=attribute-defined-outside-init
|
||||||
|
class TestAuditConf:
|
||||||
|
@pytest.fixture(autouse=True)
|
||||||
|
def init(self, ssh_audit):
|
||||||
|
self.OutputBuffer = ssh_audit.OutputBuffer()
|
||||||
|
self.process_commandline = process_commandline
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _test_conf(conf, **kwargs):
|
||||||
|
options = {
|
||||||
|
'print_config': ''
|
||||||
|
}
|
||||||
|
for k, v in kwargs.items():
|
||||||
|
options[k] = v
|
||||||
|
assert conf.print_config == options['print_config']
|
||||||
|
|
||||||
|
def test_printconfig_conf_process_commandline(self):
|
||||||
|
# pylint: disable=too-many-statements
|
||||||
|
c = lambda x: self.process_commandline(self.OutputBuffer, x.split()) # noqa
|
||||||
|
with pytest.raises(SystemExit):
|
||||||
|
conf = c('')
|
||||||
|
with pytest.raises(SystemExit):
|
||||||
|
conf = c('--print-config')
|
||||||
|
self._test_conf(conf)
|
||||||
|
|
||||||
|
for vendor in ["Amazon", "Debian", "Rocky", "Mint", "Ubuntu", "NoOS"]:
|
||||||
|
vendor = vendor
|
||||||
|
for os_ver in ["2404", "2204", "2004", "1804", "2023", "22", "21", "20", "9", "Bookworm", "Bullseye", "NoVersion"]:
|
||||||
|
os_ver = os_ver
|
||||||
|
for cs_type in ["Client", "Server", "Mistake"]:
|
||||||
|
cs_type = cs_type
|
||||||
|
with pytest.raises(SystemExit):
|
||||||
|
conf = c(f'--print-config {vendor} {os_ver} {cs_type}')
|
||||||
|
self._test_conf(conf)
|
Loading…
Reference in New Issue
Block a user