Created
August 13, 2021 13:48
-
-
Save amanjuman/7a7548f80fb4dc5fb11a89fb389e4ea9 to your computer and use it in GitHub Desktop.
SSH Hardening
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Remove Existing Host Files | |
| rm /etc/ssh/ssh_host_* | |
| ## Regenerate Host Files | |
| ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" | |
| ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" | |
| ## Enable Host Files | |
| sed -i 's/^HostKey \/etc\/ssh\/ssh_host_\(dsa\|ecdsa\)_key$/\#HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config | |
| ## Module Update | |
| awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe | |
| mv /etc/ssh/moduli.safe /etc/ssh/moduli | |
| ## Key Exchange Update | |
| echo -e "\n# Restrict key exchange, cipher, and MAC algorithms. \n# hardening guide.\nKexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\nMACs [email protected],[email protected],[email protected]\nHostKeyAlgorithms ssh-ed25519,[email protected]" >> /etc/ssh/sshd_config | |
| ## Restart SSH Service | |
| service ssh restart | |
| Additional Config: | |
| PermitRootLogin no | |
| ChallengeResponseAuthentication no | |
| PasswordAuthentication no | |
| UsePAM no | |
| AuthenticationMethods publickey | |
| PubkeyAuthentication yes | |
| PermitEmptyPasswords no | |
| ClientAliveInterval 300 | |
| ClientAliveCountMax 0 | |
| IgnoreRhosts yes | |
| HostbasedAuthentication no | |
| X11Forwarding yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment