mirror of
https://github.com/jtesta/ssh-audit.git
synced 2026-01-02 21:55:10 +01:00
Updated FreeBSD (markdown)
joe81tx
20
FreeBSD.md
20
FreeBSD.md
@@ -7,13 +7,13 @@ These instructions have been tested against the following versions. For versions
|
||||
|
||||
* 15.0-RELEASE
|
||||
|
||||
## Backup ssh config, install ssh-audit
|
||||
Backup ssh config, install ssh-audit
|
||||
|
||||
sudo -s # we need root for most of this
|
||||
cp -a /etc/ssh /etc/ssh.bak # backup ssh config just in case
|
||||
pkg install -y security/py-ssh-audit # install ssh-audit (you can make install if you like)
|
||||
|
||||
## Enable and start sshd, then run ssh-audit, saving the output
|
||||
Enable and start sshd, then run ssh-audit, saving the output
|
||||
|
||||
service sshd enable
|
||||
service sshd start
|
||||
@@ -21,32 +21,32 @@ These instructions have been tested against the following versions. For versions
|
||||
echo "# before hardening" >> ssh-audit.out
|
||||
ssh-audit --no-colors localhost >> ssh-audit.out || true
|
||||
|
||||
## Remove existing key-pairs, disable ECDSA
|
||||
Remove existing key-pairs, disable ECDSA
|
||||
|
||||
rm -f /etc/ssh/ssh_host_*
|
||||
sysrc sshd_ecdsa_enable="no"
|
||||
sysrc sshd_ed25519_enable="yes"
|
||||
sysrc sshd_rsa_enable="yes"
|
||||
|
||||
## Regenerate RSA and Ed25519 keys
|
||||
Regenerate RSA and Ed25519 keys
|
||||
|
||||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
|
||||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
|
||||
|
||||
## Remove Diffie-Hellman moduli smaller than 3071
|
||||
Remove Diffie-Hellman moduli smaller than 3071
|
||||
|
||||
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
|
||||
mv /etc/ssh/moduli.safe /etc/ssh/moduli
|
||||
|
||||
## Restrict supported key exchange, cipher, and MAC algorithms
|
||||
Restrict supported key exchange, cipher, and MAC algorithms
|
||||
|
||||
printf "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org\n\nCiphers aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr\n\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n" >> /etc/ssh/sshd_config
|
||||
|
||||
## Optionally: Remove some FreeBSD-specific differences
|
||||
Optionally: Remove some FreeBSD-specific differences
|
||||
|
||||
printf "\n# Remove some FreeBSD-specific differences\nUseDNS no\nVersionAddendum none\n" >> /etc/ssh/sshd_config
|
||||
|
||||
## Restart sshd and run ssh-audit again, appending output
|
||||
Restart sshd and run ssh-audit again, appending output
|
||||
|
||||
service sshd restart
|
||||
echo "# after hardening" >> ssh-audit.out
|
||||
@@ -179,7 +179,7 @@ FreeBSD cirrus-task-4970050563604480 15.0-RELEASE FreeBSD 15.0-RELEASE releng/15
|
||||
```
|
||||
</details>
|
||||
|
||||
## If you want to revert the SSH configuration
|
||||
If you want to revert the SSH configuration
|
||||
|
||||
rm -rf /etc/ssh
|
||||
mv /etc/ssh.bak /etc/ssh
|
||||
@@ -328,7 +328,7 @@ These instructions have been tested against the following versions.
|
||||
* 14.3-RELEASE
|
||||
* 15.0-RELEASE
|
||||
|
||||
## Run the following in a terminal to harden the OpenSSH client for the local user
|
||||
Run the following in a terminal to harden the OpenSSH client for the local user
|
||||
|
||||
mkdir -p -m 0700 ~/.ssh; printf "\nHost *\n Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\n KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\n MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\n HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n" >> ~/.ssh/config
|
||||
|
||||
|
||||
Reference in New Issue
Block a user