diff --git a/FreeBSD.md b/FreeBSD.md index 2bb137e..5cec38c 100644 --- a/FreeBSD.md +++ b/FreeBSD.md @@ -7,13 +7,13 @@ These instructions have been tested against the following versions. For versions * 15.0-RELEASE -## Backup ssh config, install ssh-audit +Backup ssh config, install ssh-audit sudo -s # we need root for most of this cp -a /etc/ssh /etc/ssh.bak # backup ssh config just in case pkg install -y security/py-ssh-audit # install ssh-audit (you can make install if you like) -## Enable and start sshd, then run ssh-audit, saving the output +Enable and start sshd, then run ssh-audit, saving the output service sshd enable service sshd start @@ -21,32 +21,32 @@ These instructions have been tested against the following versions. For versions echo "# before hardening" >> ssh-audit.out ssh-audit --no-colors localhost >> ssh-audit.out || true -## Remove existing key-pairs, disable ECDSA +Remove existing key-pairs, disable ECDSA rm -f /etc/ssh/ssh_host_* sysrc sshd_ecdsa_enable="no" sysrc sshd_ed25519_enable="yes" sysrc sshd_rsa_enable="yes" -## Regenerate RSA and Ed25519 keys +Regenerate RSA and Ed25519 keys ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" -## Remove Diffie-Hellman moduli smaller than 3071 +Remove Diffie-Hellman moduli smaller than 3071 awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli -## Restrict supported key exchange, cipher, and MAC algorithms +Restrict supported key exchange, cipher, and MAC algorithms printf "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org\n\nCiphers aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n" >> /etc/ssh/sshd_config -## Optionally: Remove some FreeBSD-specific differences +Optionally: Remove some FreeBSD-specific differences printf "\n# Remove some FreeBSD-specific differences\nUseDNS no\nVersionAddendum none\n" >> /etc/ssh/sshd_config -## Restart sshd and run ssh-audit again, appending output +Restart sshd and run ssh-audit again, appending output service sshd restart echo "# after hardening" >> ssh-audit.out @@ -179,7 +179,7 @@ FreeBSD cirrus-task-4970050563604480 15.0-RELEASE FreeBSD 15.0-RELEASE releng/15 ``` -## If you want to revert the SSH configuration +If you want to revert the SSH configuration rm -rf /etc/ssh mv /etc/ssh.bak /etc/ssh @@ -328,7 +328,7 @@ These instructions have been tested against the following versions. * 14.3-RELEASE * 15.0-RELEASE -## Run the following in a terminal to harden the OpenSSH client for the local user +Run the following in a terminal to harden the OpenSSH client for the local user mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n" >> ~/.ssh/config