SSH-Hardening: Unterschied zwischen den Versionen

Aus Free Software
Zur Navigation springen Zur Suche springen
 
(9 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
SSH-Hardening, 2015-01-10, based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
SSH-Hardening


=== Preparations ===
based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)
On Debian Testing (= Jessie) and Ubuntu 14.04 (= Trusty) you don't have to do anything)


On Debian Stable (= Wheezy):
=== Server configuration ===


echo "deb http://debian.inode.at/debian/ wheezy-backports main" >> /etc/apt/sources.list
Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom:
apt-get update
apt-get -t wheezy-backports install openssh-server


On Ubuntu 12.04 (= Precise): To lazy and/or incompetent for backports.
<pre>
# SSH hardening, see https://fs.fsinf.at/wiki/SSH-Hardening


=== Server configuration ===
# Disable SSHv1
Protocol 2


Remove all <code>HostKey</code> directives in <code>/etc/ssh/sshd_config</code>, then append at the bottom:
# Only allow Public Key Authentication
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no


# SSH hardening, see https://stribika.github.io/2015/01/04/secure-secure-shell.html
# Only allow users in the "users" group (no system users!).
KexAlgorithms curve25519-sha256@libssh.org
# NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to
# automatically add new non-system users to a group.
AllowGroups users
   
   
# Don't forget to remove HostKey directives above
# Don't forget to remove HostKey directives above
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
</pre>


... and execute:
... and execute:
Zeile 29: Zeile 35:
  cd /etc/ssh/
  cd /etc/ssh/
  rm ssh_host_*
  rm ssh_host_*
  ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ''
  ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
  ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
  ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
 
===== restart server =====


When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:


  /etc/init.d/ssh restart
  systemctl restart sshd


=== Client configuration ===
=== Client configuration ===
Zeile 41: Zeile 49:


  Host *
  Host *
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160


Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).
Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).
If possible, you can also regenerate your own SSH keys:
ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100
'''WARNING:''' This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.
=== Sources ===
* https://cipherli.st/
* '''old, from 2015:''' https://stribika.github.io/2015/01/04/secure-secure-shell.html

Aktuelle Version vom 20. Juli 2019, 14:15 Uhr

SSH-Hardening

based on https://stribika.github.io/2015/01/04/secure-secure-shell.html (with a stripped down list of Ciphers and MACs)

Server configuration

Remove all HostKey directives in /etc/ssh/sshd_config, then append at the bottom:

# SSH hardening, see https://fs.fsinf.at/wiki/SSH-Hardening

# Disable SSHv1
Protocol 2

# Only allow Public Key Authentication
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

# Only allow users in the "users" group (no system users!).
# NOTE: See /etc/adduser.conf (EXTRA_GROUPS and ADD_EXTRA_GROUPS) to 
# automatically add new non-system users to a group.
AllowGroups users
 
# Don't forget to remove HostKey directives above
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

... and execute:

cd /etc/ssh/
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
restart server

When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:

systemctl restart sshd

Client configuration

On top of your ~/.ssh/config, add:

Host *
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Note that we add diffie-hellman-group-exchange-sha256 in comparison to the server config - this is for comparability with Ubuntu 12.04 (remove it if you don't care).

If possible, you can also regenerate your own SSH keys:

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100

WARNING: This overwrites your old keys if you're not careful. If you don't add a new key to your servers before removing the old ones, you're locked out.

Sources