SSH-Hardening: Unterschied zwischen den Versionen

Aus Free Software
Zur Navigation springen Zur Suche springen
Zeile 1: Zeile 1:
 
SSH-Hardening, 2015-01-10, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
 
SSH-Hardening, 2015-01-10, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
  
=== Vorbereitung ===
+
=== Preparations ===
Unter Debian Testing (= Jessie) und Ubuntu 14.04 (= Trusty) geht das von Haus aus.
+
On Debian Testing (= Jessie) and Ubuntu 14.04 (= Trusty) you don't have to do anything)
  
Unter Debian Stable (= Wheezy):
+
On Debian Stable (= Wheezy):
  
 
  echo "deb http://debian.inode.at/debian/ wheezy-backports main" >> /etc/apt/sources.list
 
  echo "deb http://debian.inode.at/debian/ wheezy-backports main" >> /etc/apt/sources.list
Zeile 10: Zeile 10:
 
  apt-get -t wheezy-backports install openssh-server
 
  apt-get -t wheezy-backports install openssh-server
  
Unter Ubuntu 12.04 (= Precise): Die sind wiedermal zu faul fuer Backports.
+
On Ubuntu 12.04 (= Precise): To lazy and/or incompetent for backports.
  
 
=== Server configuration ===
 
=== Server configuration ===
  
In <code>/etc/ssh/sshd_config</code> entfernt ihr zunaechst alle <code>HostKey</code> direktiven, dann haengt ihr unten an:
+
Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom:
  
 
  # SSH hardening, see https://stribika.github.io/2015/01/04/secure-secure-shell.html
 
  # SSH hardening, see https://stribika.github.io/2015/01/04/secure-secure-shell.html
Zeile 25: Zeile 25:
 
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
 
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  
Danach fuehrt ihr noch aus:
+
... and execute:
  
 
  cd /etc/ssh/
 
  cd /etc/ssh/

Version vom 10. Januar 2015, 21:03 Uhr

SSH-Hardening, 2015-01-10, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)

Preparations

On Debian Testing (= Jessie) and Ubuntu 14.04 (= Trusty) you don't have to do anything)

On Debian Stable (= Wheezy):

echo "deb http://debian.inode.at/debian/ wheezy-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -t wheezy-backports install openssh-server

On Ubuntu 12.04 (= Precise): To lazy and/or incompetent for backports.

Server configuration

Remove all HostKey directives in /etc/ssh/sshd_config, then append at the bottom:

# SSH hardening, see https://stribika.github.io/2015/01/04/secure-secure-shell.html
KexAlgorithms curve25519-sha256@libssh.org

# Don't forget to remove HostKey directives above
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

... and execute:

cd /etc/ssh/
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N 
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N 

When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:

/etc/init.d/ssh restart

Client configuration

On top of your ~/.ssh/config, add:

Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).