137 lines
4.7 KiB
Markdown
137 lines
4.7 KiB
Markdown
---
|
||
title: "Hardening OpenSSH, all in one place"
|
||
date: 2017-11-20
|
||
url: hardening-openssh-all-in-one-place
|
||
layout: post
|
||
category: Security
|
||
image: /img/blog/hardening-openssh-all-in-one-place.png
|
||
description: "An unified guide to secure OpenSSH server"
|
||
---
|
||
|
||
[![A missing blog post image](/img/blog/hardening-openssh-all-in-one-place.png)](/img/blog/hardening-openssh-all-in-one-place.png)
|
||
|
||
After having hardened _Apache_ during the [previous post over here]({% post_url 2017-11-14-hardening-apache-all-in-one-place %}), we'll take a look at _OpenSSH_.
|
||
|
||
> Why ? :thinking:
|
||
>> 'Cause if you secure your web server, it's good to enforce some "good" rules on your SSH server too, unless securing your web server would be pointless :grinning:
|
||
|
||
### Content
|
||
|
||
In order to set up a "hardened" _OpenSSH_, just edit your `/etc/ssh/sshd_config`, after **having backup'ed your current configuration** (`cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup`), and paste the following (please, **do adapt it to what you actually need / want**) :
|
||
|
||
{% highlight config %}
|
||
# You should set another port here
|
||
Port 22
|
||
Protocol 2
|
||
|
||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||
|
||
UsePrivilegeSeparation yes
|
||
|
||
# If you run a Debian distribution...
|
||
DebianBanner no
|
||
|
||
SyslogFacility AUTH
|
||
LogLevel INFO
|
||
|
||
LoginGraceTime 120
|
||
PermitRootLogin no
|
||
StrictModes yes
|
||
MaxAuthTries 3
|
||
|
||
RSAAuthentication no
|
||
PubkeyAuthentication yes
|
||
# Should be set to `no`
|
||
PasswordAuthentication yes
|
||
|
||
IgnoreRhosts yes
|
||
HostbasedAuthentication no
|
||
|
||
PermitEmptyPasswords no
|
||
ChallengeResponseAuthentication no
|
||
|
||
X11Forwarding no
|
||
AllowTcpForwarding no
|
||
|
||
PrintMotd no
|
||
PrintLastLog yes
|
||
TCPKeepAlive yes
|
||
|
||
PermitUserEnvironment no
|
||
AcceptEnv LANG LC_*
|
||
|
||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||
|
||
UseDNS yes
|
||
UsePAM yes
|
||
|
||
# If you want to limit the connection to specific users (or groups) from specific networks...
|
||
AllowUsers root@192.168.0/24
|
||
AllowGroups ssh@192.168.0/24
|
||
|
||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||
{% endhighlight %}
|
||
|
||
Once you have adapted and paste the content above, you'll have to get rid of the moduli the less secure.
|
||
In order to achieve this, please copy / paste the _BASH_ snippet below (taken and one-line'd from [here](https://stribika.github.io/2015/01/04/secure-secure-shell.html)) :
|
||
|
||
{% highlight bash %}
|
||
cd /etc/ssh/
|
||
if [[ -e ./moduli ]]; then cp moduli moduli.backup && awk '$5 > 2000' moduli > moduli.tmp; if [[ $(wc -l moduli.tmp | cut -d ' ' -f 1) -ne 0 ]]; then mv moduli.tmp moduli; else echo "No secure Moduli available..."; fi; else ssh-keygen -G moduli.all -b 4096 && ssh-keygen -T moduli.safe -f moduli.all && mv moduli.safe moduli && rm moduli.all; fi
|
||
{% endhighlight %}
|
||
|
||
Let's do the same with your keys (**:warning: DANGEROUS OPERATION :warning:**) :
|
||
|
||
{% highlight bash %}
|
||
rm ssh_host_*key*
|
||
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
|
||
{% endhighlight %}
|
||
|
||
Now, you have to manually add the sessions that will have the right to connect through SSH :
|
||
|
||
`(# addgroup ssh)`
|
||
`# usermod -G ssh <yourSession>`
|
||
|
||
Only if you went through all the previous actions correctly, you can check your _OpenSSH_ configuration with :
|
||
|
||
`# sshd -t`
|
||
|
||
If it's okay too, you may now reload the SSH daemon :
|
||
|
||
`(# service ssh reload)`
|
||
`# systemctl reload ssh`
|
||
|
||
Now **DON'T CLOSE YOUR CURRENT REMOTE SESSION**, and try to open a new one :wink:
|
||
|
||
Also, if everything is still okay, you can delete the old backups !
|
||
|
||
`# rm {sshd_config,moduli}.backup`
|
||
|
||
---
|
||
|
||
**EDIT 2017-11-26 : I've done the same thing for my OpenSSH Client, you should take a look at it over [here](https://git.forestier.app/HorlogeSkynet/dotfiles/src/branch/master/.ssh/config) ! :ok_hand:**
|
||
|
||
---
|
||
|
||
### Sources
|
||
|
||
* Default _OpenSSH_ `ssh[d]_config` files packaged in Debian
|
||
|
||
* [Hardening OpenSSH](https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html)
|
||
|
||
* [OpenSSH Security and Hardening](https://linux-audit.com/audit-and-harden-your-ssh-configuration/)
|
||
|
||
* [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)
|
||
|
||
* [CryptCheck](https://cryptcheck.fr/)
|
||
|
||
* [Security/Guidelines/OpenSSH](https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Configuration)
|
||
|
||
* [How To Configure Custom Connection Options for your SSH Client](https://www.digitalocean.com/community/tutorials/how-to-configure-custom-connection-options-for-your-ssh-client)
|
||
|
||
* [Recommandations pour un usage sécurisé d’(Open)SSH (ANSSI)](https://www.ssi.gouv.fr/uploads/2014/01/NT_OpenSSH.pdf)
|
||
|
||
* [Upgrade your SSH keys!](https://blog.g3rt.nl/upgrade-your-ssh-keys.html)
|