SSH-Hardening: Unterschied zwischen den Versionen

Aus Free Software
Zur Navigation springen Zur Suche springen
Zeile 28: Zeile 28:
  ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''
  ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ''


# when restarting, current session is not affected, make sure you keep it open, in case you've done something wrong!
When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:
 
  /etc/init.d/ssh restart
  /etc/init.d/ssh restart

Version vom 10. Januar 2015, 20:35 Uhr

SSH-Hardening, 2015-01-10:

Vorbereitung

Unter Debian Testing (= Jessie) und Ubuntu 14.04 (= Trusty) geht das von Haus aus.

Unter Debian Stable (= Wheezy):

echo "deb http://debian.inode.at/debian/ wheezy-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -t wheezy-backports install openssh-server

Server-Konfiguration

In /etc/ssh/sshd_config entfernt ihr zunaechst alle HostKey direktiven, dann haengt ihr unten an:

# SSH hardening, see https://stribika.github.io/2015/01/04/secure-secure-shell.html
KexAlgorithms curve25519-sha256@libssh.org
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Danach fuehrt ihr noch aus:

cd /etc/ssh/
rm ssh_host_*
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N 
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N 

When restarting, current session is not affected, make sure you keep it open, in case you've done something wrong:

/etc/init.d/ssh restart