Server
Note
Instructions are based on the information from: https://ozgurkazancci.com/ssh-server-security-audit-hardening-freebsd/
Most of the commands in the server section must be run with root privileges. Always start by making sure the operating system and packages are updated.
xbps-install -Syuv
Regenerate host identification keys.
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
After completing this step, the SSH client may give an error saying that the host identification key has changed and will not allow the connection to go through; this can be fixed by removing the SSH host from ~/.ssh/known_hosts.
Then generate SSH moduli:
ssh-keygen -M generate -O bits=3072 moduli
ssh-keygen -M screen -f moduli moduli-final
mv moduli-final /usr/local/etc/ssh/
Restart the SSH service:
sv restart sshd
Optionally check your server with ssh-audit
:
sudo xbps-install -Sy ssh-audit
ssh-audit localhost # Replace localhost with the IP address or domain name of the SSH server to be checked
Alternatively, if the SSH server is publicly accessible, it can be checked and scored on sshaudit.com.
Client
Hardening the SSH client is just as important as hardening the SSH server. Some attack vectors are left open if either the SSH server or client has not taken precautions to mitigate the vulnerability. Hardening the SSH client for the current user is as simple as running the following command:
printf "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config
Optionally, use ssh-audit
to check and make sure the client configuration is good:
sudo xbps-install -Sy ssh-audit
ssh-audit -c
Open a new terminal and run:
ssh -p 2222 localhost
footer2