1 Void Linux
fac3plant edited this page 2024-01-13 15:05:39 -05:00

Server

Note

Instructions are based on the information from: https://ozgurkazancci.com/ssh-server-security-audit-hardening-freebsd/

Most of the commands in the server section must be run with root privileges. Always start by making sure the operating system and packages are updated.

xbps-install -Syuv

Regenerate host identification keys.

rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

After completing this step, the SSH client may give an error saying that the host identification key has changed and will not allow the connection to go through; this can be fixed by removing the SSH host from ~/.ssh/known_hosts.

Then generate SSH moduli:

ssh-keygen -M generate -O bits=3072 moduli
ssh-keygen -M screen -f moduli moduli-final
mv moduli-final /usr/local/etc/ssh/

Restart the SSH service:

sv restart sshd

Optionally check your server with ssh-audit:

sudo xbps-install -Sy ssh-audit
ssh-audit localhost # Replace localhost with the IP address or domain name of the SSH server to be checked

Alternatively, if the SSH server is publicly accessible, it can be checked and scored on sshaudit.com.

Client

Hardening the SSH client is just as important as hardening the SSH server. Some attack vectors are left open if either the SSH server or client has not taken precautions to mitigate the vulnerability. Hardening the SSH client for the current user is as simple as running the following command:

printf "\nHost *\n  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n  KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n  MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n  HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config

Optionally, use ssh-audit to check and make sure the client configuration is good:

sudo xbps-install -Sy ssh-audit
ssh-audit -c

Open a new terminal and run:

ssh -p 2222 localhost