root/software/misc/make_ssh_secure.sh @ c7e0510c
| bf5c1718 | David Sorber | #!/bin/bash
|
||
# Make SSH Secure Version 0.0.1
|
||||
# DATE May 14 2015
|
||||
# Make ssh a bit more secure by disabling obviously insecure ciphers/MACs
|
||||
# and preferring to use the most secure choices
|
||||
# Make sure only root can run our script
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "This script must be run as root" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
# Update /etc/ssh/sshd_config
|
||||
DAEMON_CONFIG=/etc/ssh/sshd_config
|
||||
echo -e "\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n" >> $DAEMON_CONFIG
|
||||
echo -e "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n" >> $DAEMON_CONFIG
|
||||
| 849d4069 | David Sorber | echo -e "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" >> $DAEMON_CONFIG
|
||
| bf5c1718 | David Sorber | |||
sed -i "s|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g" $DAEMON_CONFIG
|
||||
sed -i "s|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g" $DAEMON_CONFIG
|
||||
# Update /etc/ssh/ssh_config
|
||||
CLIENT_CONFIG=/etc/ssh/ssh_config
|
||||
echo -e " KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> $CLIENT_CONFIG
|
||||
sed -i "s|# Ciphers.*| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr|g" $CLIENT_CONFIG
|
||||
| 849d4069 | David Sorber | sed -i "s|# MACs.*| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com|g" $CLIENT_CONFIG
|
||
| bf5c1718 | David Sorber | sed -i "s|# Protocol 2,1| Protocol 2|g" $CLIENT_CONFIG
|
||
# Remove insecure moduli
|
||||
awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
|
||||
mv "${HOME}/moduli" /etc/ssh/moduli
|
||||
# Regenerate host keys
|
||||
rm /etc/ssh/ssh_host_*key*
|
||||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' < /dev/null
|
||||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' < /dev/null
|