💾 Archived View for jacksonchen666.com › posts › 2023-07-19 › 15-49-03 › index.gmi captured on 2024-05-12 at 15:20:19. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-11-04)
-=-=-=-=-=-=-
2023-07-19 15:49:03Z (last updated 2023-10-16 08:55:03Z)
Today I decided to do things. Also known as random things.
I was looking at software that Seirdy uses. I then saw a thing: ssh-audit.
DISCLAIMER: I'm no security expert. If you think I'm stupid and should be ignored, then ignore my suggestions here.
If using this guide breaks your system, that's your responsibility, not mine.
I looked at ssh-audit, tried it out on my server, and well, there were some red lines.
I look further on how to make it not have those red lines. I found a SSH hardening guide. However, I had a few problems with it:
So I skipped out on that and decided to look at an outdated SSH hardening guide. Well, at least something that at least makes sense!
"Outdated" SSH hardening guide
For the majority of the outdated guide... I just didn't follow them. :P
Instead, I used another approach to making the things: Maybe copy from them, and rely on ssh-audit. Maybe rely a bit on Seirdy.
I use `OpenSSH_9.0p1` on my server. If you have a newer version, it should work. If you have an older version, it might not work.
After quite a bit of work, I have assembled a snippet part of `sshd_config`:
# hardening (from gemini://jacksonchen666.com/posts/2023-07-19/15-49-03/) # https://blog.stribik.technology/2015/01/04/secure-secure-shell.html Protocol 2 # uncomment below if you have a key there, or change it. add more if necessary #HostKey /etc/ssh/ssh_host_ed25519_key # do not enable if you have not setup groups! if you don't understand, comment out below. #AllowGroups ssh-user # from ssh-audit (https://github.com/jtesta/ssh-audit) and also mostly copying seirdy.one # wide range of OK stuff (according to ssh-audit) KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,sntrup761x25519-sha512@openssh.com Ciphers aes192-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com # https://seirdy.one/about/ssh-policy.txt # "MACs are redundant with the chacha20-poly1305 cipher; don't use any." -- https://seirdy.one/about/ssh-policy.txt #Ciphers chacha20-poly1305@openssh.com #KexAlgorithms sntrup761x25519-sha512@openssh.com # "MACs are redundant with the chacha20-poly1305 cipher; don't use any." -- https://seirdy.one/about/ssh-policy.txt # except how do you not use MACs #MACs hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com
You can comment out the "wide range of OK stuff" section to opt in for something Seirdy does: Just one thing, for all of the things.
Another thing commented out by default is the `HostKey` directive. Make sure there's a file at that path, adjust if necessary, and uncomment if you don't need anything other than ed25519 keys. Add more of the same directives if you *do* need more than ed25519 keys, add more `HostKey` directives as necessary.
`AllowGroups` is also commented out by default because that requires prior setup. You'll have to mess with system groups for that. And if you don't care about restricting which users can SSH, you can ignore that.
To implement on Fedora Linux, I had to put the snippet at `/etc/ssh/sshd_config.d/00-hardening.conf` because there was a `/etc/ssh/sshd_config.d/50-redhat.conf` in place which seemed to take from system crypto policies whatever.
To implement in Alpine Linux, I just put the snippet before most configuration options in `/etc/ssh/sshd_config`.
And well, that's about it!