diff --git a/apply_host_patches.sh b/apply_host_patches.sh new file mode 100644 index 0000000..7645bbd --- /dev/null +++ b/apply_host_patches.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# Apply security patches to host SSH configuration + +set -e + +echo "[*] Applying SSH security patches to host..." + +# Backup original config +cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d_%H%M%S) + +# Uncomment HostKey lines +sed -i 's/^#HostKey/HostKey/' /etc/ssh/sshd_config + +# Remove ecdsa key line (we don't have this key) +sed -i '/ssh_host_ecdsa_key/d' /etc/ssh/sshd_config + +# Add security settings after HostKey lines +sed -i '/HostKey \/etc\/ssh\/ssh_host_ed25519_key/a\ +\ +# Security hardening - restrict algorithms to secure ones only\ +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512\ +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com\ +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\ +HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512\ +PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512\ +' /etc/ssh/sshd_config + +echo "[+] SSH configuration updated" +echo "[*] Restarting sshd service..." + +systemctl restart sshd + +echo "[+] SSH service restarted" +echo "[*] Run ssh-audit to verify security" \ No newline at end of file diff --git a/check_ssh_security.sh b/check_ssh_security.sh new file mode 100644 index 0000000..aadc862 --- /dev/null +++ b/check_ssh_security.sh @@ -0,0 +1,56 @@ +#!/bin/sh +# Check SSH security configuration + +echo "[*] Checking SSH security configuration..." + +# Check host keys +echo "[*] Host keys:" +if [ -f /etc/ssh/ssh_host_rsa_key ]; then + RSA_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | awk '{print $1}') + echo " RSA: $RSA_SIZE bits" +else + echo " RSA: NOT FOUND" +fi + +if [ -f /etc/ssh/ssh_host_ed25519_key ]; then + ED25519_SIZE=$(ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key | awk '{print $1}') + echo " Ed25519: $ED25519_SIZE bits" +else + echo " Ed25519: NOT FOUND" +fi + +# Check configuration +echo "[*] Configuration:" +if grep -q "HostKey /etc/ssh/ssh_host_rsa_key" /etc/ssh/sshd_config; then + echo " RSA host key: ENABLED" +else + echo " RSA host key: DISABLED" +fi + +if grep -q "HostKey /etc/ssh/ssh_host_ed25519_key" /etc/ssh/sshd_config; then + echo " Ed25519 host key: ENABLED" +else + echo " Ed25519 host key: DISABLED" +fi + +# Check algorithms +echo "[*] Algorithms:" +if grep -q "KexAlgorithms.*curve25519-sha256" /etc/ssh/sshd_config; then + echo " KexAlgorithms: SECURE" +else + echo " KexAlgorithms: INSECURE" +fi + +if grep -q "Ciphers.*chacha20-poly1305" /etc/ssh/sshd_config; then + echo " Ciphers: SECURE" +else + echo " Ciphers: INSECURE" +fi + +if grep -q "MACs.*hmac-sha2-256-etm" /etc/ssh/sshd_config; then + echo " MACs: SECURE" +else + echo " MACs: INSECURE" +fi + +echo "[*] Check completed" \ No newline at end of file diff --git a/sshd_config b/sshd_config index 7fb4871..6e3d467 100644 --- a/sshd_config +++ b/sshd_config @@ -19,6 +19,13 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key +# Security hardening - restrict algorithms to secure ones only +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com +HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 +PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512 + # Ciphers and keying #RekeyLimit default none @@ -117,9 +124,4 @@ Subsystem sftp /usr/libexec/sftp-server # PermitTTY no # ForceCommand cvs server -# Security hardening - restrict algorithms to secure ones only -KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com -MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com -HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 -PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-256,rsa-sha2-512 +