root/software/misc/make_ssh_secure.sh @ fea928c1
| bf5c1718 | David Sorber | #!/bin/bash
|
|
# Make SSH Secure Version 0.0.1
|
|||
# DATE May 14 2015
|
|||
# Make ssh a bit more secure by disabling obviously insecure ciphers/MACs
|
|||
# and preferring to use the most secure choices
|
|||
# Make sure only root can run our script
|
|||
if [ "$(id -u)" != "0" ]; then
|
|||
echo "This script must be run as root" 1>&2
|
|||
exit 1
|
|||
fi
|
|||
# Update /etc/ssh/sshd_config
|
|||
DAEMON_CONFIG=/etc/ssh/sshd_config
|
|||
echo -e "\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n" >> $DAEMON_CONFIG
|
|||
echo -e "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n" >> $DAEMON_CONFIG
|
|||
echo -e "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com" >> $DAEMON_CONFIG
|
|||
sed -i "s|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g" $DAEMON_CONFIG
|
|||
sed -i "s|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g" $DAEMON_CONFIG
|
|||
# Update /etc/ssh/ssh_config
|
|||
CLIENT_CONFIG=/etc/ssh/ssh_config
|
|||
echo -e " KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> $CLIENT_CONFIG
|
|||
sed -i "s|# Ciphers.*| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr|g" $CLIENT_CONFIG
|
|||
sed -i "s|# MACs.*| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com|g" $CLIENT_CONFIG
|
|||
sed -i "s|# Protocol 2,1| Protocol 2|g" $CLIENT_CONFIG
|
|||
# Remove insecure moduli
|
|||
awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
|
|||
mv "${HOME}/moduli" /etc/ssh/moduli
|
|||
# Regenerate host keys
|
|||
rm /etc/ssh/ssh_host_*key*
|
|||
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' < /dev/null
|
|||
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' < /dev/null
|