Skip to content

Instantly share code, notes, and snippets.

@groundcat

groundcat/hardern-ssh.md

Last active March 10, 2022 05:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save groundcat/dd5b95a45802f8784ca8e45d353ec827 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save groundcat/dd5b95a45802f8784ca8e45d353ec827 to your computer and use it in GitHub Desktop.
Download ZIP
Harden the SSHD login and configuration
Raw
hardern-ssh.md

Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:

adduser ubuntu

Add the user to the sudo group so you’ll have administrative privileges:

adduser ubuntu sudo

Generate ed25519 key pair on your local machine:

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "[email protected]"

Login as the non-root user:

su ubuntu

Paste the generated public key to non-root user's ~/.ssh/authorized_keys file:

mkdir -p ~/.ssh
nano ~/.ssh/authorized_keys

Finally, you’ll want to set permissions for the public key directory and the key file itself. Make the local $USER own the SSH key pair files:

chmod -R 700 ~/.ssh/
chown $USER:$USER ~/.ssh

Try connecting SSH with non-root user. By now the SSH should be working!

Back to root user:

exit

Back up SSH config file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

If SSH works, update the /etc/ssh/sshd_config file to the following for the SSH key section, or refer to the full version of a hardened config.

HostKey /etc/ssh/ssh_host_ed25519_key                           #Only allow ECDSA pubic key authentication
HostKeyAlgorithms [email protected],ssh-ed25519  #Host keys the client should accepts
KexAlgorithms curve25519-sha256                                 #Specifies the available KEX (Key Exchange) algorithms
Ciphers [email protected],[email protected]    #Specifies the ciphers allowed
MACs [email protected]                              #Specifies the available MAC alg.
#Only allow incoming ECDSA and ed25519 sessions:
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
#PubkeyAcceptedKeyTypes [email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519
#CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

If you want to take the whole configuration file:

cd /etc/ssh/
wget -O sshd_config https://web.archive.org/web/20220302194649if_/https://raw.githubusercontent.com/krabelize/sshd-hardening-ed25519/master/sshd_config

Update permission:

chmod -R 644 /etc/ssh/sshd_config
chown root:root /etc/ssh/sshd_config

Restart SSH:

sudo systemctl restart sshd

Test your SSH security with Rebex SSH Check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment