commit bf5c171824bd58aa838eb46293abbdcc3ecdbe25
Author: David Sorber <david.sorber@gmail.com>
Date:   Mon Feb 1 18:25:50 2016 -0500

    Adding the "make SSH secure" script I wrote based on the recommendations from that web page which I should probably cite in the script...

diff --git a/software/misc/make_ssh_secure.sh b/software/misc/make_ssh_secure.sh
new file mode 100755
index 0000000..c9f133b
--- /dev/null
+++ b/software/misc/make_ssh_secure.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Make SSH Secure Version 0.0.1
+# DATE May 14 2015
+
+# Make ssh a bit more secure by disabling obviously insecure ciphers/MACs
+# and preferring to use the most secure choices
+
+# Make sure only root can run our script
+if [ "$(id -u)" != "0" ]; then
+   echo "This script must be run as root" 1>&2
+   exit 1
+fi
+
+# Update /etc/ssh/sshd_config
+DAEMON_CONFIG=/etc/ssh/sshd_config
+echo -e "\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n" >> $DAEMON_CONFIG
+echo -e "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n" >> $DAEMON_CONFIG
+echo -e "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com" >> $DAEMON_CONFIG
+
+sed -i "s|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g" $DAEMON_CONFIG
+sed -i "s|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g" $DAEMON_CONFIG
+
+
+# Update /etc/ssh/ssh_config
+CLIENT_CONFIG=/etc/ssh/ssh_config
+echo -e "    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> $CLIENT_CONFIG
+sed -i "s|#   Ciphers.*|    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr|g" $CLIENT_CONFIG
+sed -i "s|#   MACs.*|    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com|g"  $CLIENT_CONFIG
+sed -i "s|#   Protocol 2,1|    Protocol 2|g" $CLIENT_CONFIG
+
+# Remove insecure moduli
+awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
+mv "${HOME}/moduli" /etc/ssh/moduli
+
+# Regenerate host keys
+rm /etc/ssh/ssh_host_*key*
+ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' < /dev/null
+ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' < /dev/null
