charliecano
2/12/2018 - 12:56 AM

SSHhardening.sh

#!/bin/bash
#
# see https://stribika.github.io/2015/01/04/secure-secure-shell.html

SSHD_VERSION=`/usr/sbin/sshd -v 2>&1 | grep OpenSSH | cut -d " " -f1 | cut -d "_" -f2 | cut -d"." -f2 | cut -d"p" -f1`
cat /etc/ssh/sshd_config | grep -v "KexAlgorithms" | grep -v "Ciphers" | grep -v "MACs" | grep -v "github.com" > /etc/ssh/sshd_config.new
cat /etc/ssh/ssh_config | grep -v "KexAlgorithms" | grep -v "Ciphers" | grep -v "MACs" | grep -v "github.com" > /etc/ssh/ssh_config.new
if [ "${SSHD_VERSION}" != "0" ]; then
	# better algorithms only available on newer OpenSSH versions
	echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config.new
	echo "    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256" >> /etc/ssh/ssh_config.new
	echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config.new
	echo "    Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/ssh_config.new
	echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com" >> /etc/ssh/sshd_config.new
	echo "    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com" >> /etc/ssh/ssh_config.new
	echo "Host github.com" >> /etc/ssh/ssh_config.new
	echo "    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512" >> /etc/ssh/ssh_config.new
else 
	echo "KexAlgorithms diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config.new
	echo "    KexAlgorithms diffie-hellman-group-exchange-sha256" >> /etc/ssh/ssh_config.new
	echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config.new
	echo "    Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/ssh_config.new
	echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config.new
	echo "    MACs hmac-sha2-512" >> /etc/ssh/ssh_config.new
fi
mv -f /etc/ssh/sshd_config.new /etc/ssh/sshd_config
mv -f /etc/ssh/ssh_config.new /etc/ssh/ssh_config

if [ -f /etc/ssh/moduli ]; then
	while read line; do
		KLENGTH=`echo ${line} | grep -v "#" | cut -d " " -f5`
		if [[ ${KLENGTH} -ge 2048 ]]; then
			echo $line >> /etc/ssh/moduli.new
		fi
	done </etc/ssh/moduli
	mv -f /etc/ssh/moduli.new /etc/ssh/moduli
fi

# disable insecure authentication keys
rm -f /etc/ssh/ssh_host_ecdsa_key*
rm -f /etc/ssh/ssh_host_key*
rm -f /etc/ssh/ssh_host_dsa_key*
ln -s ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key
ln -s ssh_host_key /etc/ssh/ssh_host_key
ln -s ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key

# re-generate SSH key if necessary
if [ -f /etc/ssh/ssh_host_rsa_key ]; then
	KLENGTH=`/usr/bin/ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key | cut -d " " -f1`
  	if [[ ${KLENGTH} -lt 4096 ]]; then
		rm /etc/ssh/ssh_host_rsa_key*
		/usr/bin/ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
	fi
fi