Hi HN! Note: this is less a guide and more to use the same instructions as those in the guides at https://www.ssh-audit.com/hardening_guides.html in order to submit it for inclusion there. Having said that, and based on feedback already, we'll probably look to more fully flesh it out.
This might all look scary, but dont worry, instructions for backing up your ssh configuration and reverting change are included. Have fun, and if you're unsure, reach out for help or questions @ #freebsd libera IRC or Twitter #freebsd.
If you are running this hardening script and reporting results back here, it is important for validation purposes that the instructions are copied verbatim, as they will be sent upstream. Please copy-paste commands, rather than manually typing them.
Not doing so may result in an undefined system state. If errors occur, please report tham to koobs @ Libera Chat IRC
.
sudo -s
# we need root for most of this (doas
is OK too)cp -Rp /etc/ssh /etc/ssh.bak
# backup ssh config just in caseportmaster security/py-ssh-audit
# install ssh-audit (pkg
add ormake install
is fine too)rehash
sysrc sshd_enable="yes"
service sshd start
uname -a > ~/ssh-audit.out
ssh-audit --no-colors localhost >> ~/ssh-audit.out
rm /etc/ssh/ssh_host_*
sysrc sshd_dsa_enable="no"
sysrc sshd_ecdsa_enable="no"
sysrc sshd_ed25519_enable="yes"
sysrc sshd_rsa_enable="yes"
service sshd keygen
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
sed -i .bak 's/^HostKey \/etc\/ssh\/ssh_host_\(dsa\|ecdsa\)_key$/\#HostKey \/etc\/ssh\/ssh_host_\1_key/g; s/^#HostKey \/etc\/ssh\/ssh_host_\(rsa\|ed25519\)_key$/\HostKey \/etc\/ssh\/ssh_host_\1_key/g' /etc/ssh/sshd_config
printf "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com" >> /etc/ssh/sshd_config
service sshd restart
ssh-audit --no-colors localhost >> ~/ssh-audit.out
- Add contents of
~/ssh-audit.out
as a comment to this gist, OR... - Send (pastebin) the contents of
~/ssh-audit.out
to koobs @ Libera Chat IRC
rm -rf /etc/ssh
mv /etc/ssh.bak /etc/ssh
sysrc -x sshd_dsa_enable
sysrc -x sshd_ecdsa_enable
sysrc -x sshd_ed25519_enable
sysrc -x sshd_rsa_enable
service sshd restart
If you weren't running ssh before this guide, additionally run:
sysrc -x sshd_enable
service sshd stop
FreeBSD 13.0-RELEASE
FreeBSD 11.4-RELEASE