elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2024-11-16 21:45:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adding a guide for hardening SSH server and client on Void Linux (This should also transfer to other distros such as Arch Linux).

fac3plant 2024-01-13 15:05:39 -05:00
parent b0bb7ba5bb
commit 5802e69611
1 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Void-Linux.md Normal file

@ -0,0 +1,59 @@
# Server
> **Note**
>
> Instructions are based on the information from: https://ozgurkazancci.com/ssh-server-security-audit-hardening-freebsd/
Most of the commands in the server section must be run with root privileges.
Always start by making sure the operating system and packages are updated.
``` sh
xbps-install -Syuv
```
Regenerate host identification keys.
``` sh
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
```
After completing this step, the SSH client may give an error saying that the host identification key has changed and will not allow the connection to go through;
this can be fixed by removing the SSH host from ~/.ssh/known_hosts.
Then generate SSH moduli:
``` sh
ssh-keygen -M generate -O bits=3072 moduli
ssh-keygen -M screen -f moduli moduli-final
mv moduli-final /usr/local/etc/ssh/
```
Restart the SSH service:
``` sh
sv restart sshd
```
Optionally check your server with `ssh-audit`:
``` sh
sudo xbps-install -Sy ssh-audit
ssh-audit localhost # Replace localhost with the IP address or domain name of the SSH server to be checked
```
Alternatively, if the SSH server is publicly accessible, it can be checked and scored on [sshaudit.com](https://www.sshaudit.com/).
# Client
Hardening the SSH client is just as important as hardening the SSH server. Some attack vectors are left open if either the SSH server or client has not taken precautions to mitigate the vulnerability.
Hardening the SSH client for the current user is as simple as running the following command:
``` sh
printf "\nHost *\n Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com\n" >> ~/.ssh/config
```
Optionally, use `ssh-audit` to check and make sure the client configuration is good:
``` sh
sudo xbps-install -Sy ssh-audit
ssh-audit -c
```
Open a new terminal and run:
``` sh
ssh -p 2222 localhost
```