diff --git a/newSrv.sh b/newSrv.sh index 3d023d3..5b22160 100644 --- a/newSrv.sh +++ b/newSrv.sh @@ -55,6 +55,8 @@ echo Now running "$FUNCNAME".... curl --silent https://dl.knownelement.com/FetchApplyDistPoint/tsys-zshrc > /etc/zshrc curl --silent https://dl.knownelement.com/FetchApplyDistPoint/aliases > /etc/aliases curl --silent https://dl.knownelement.com/FetchApplyDistPoint/rsyslog.conf > /etc/rsyslog.conf +curl --silent https://dl.knownelement.com/FetchApplyDistPoint/tsys-sshd-config > /etc/ssh/sshd_config +curl --silent https://dl.knownelement.com/FetchApplyDistPoint/ssh-audit_hardening.conf > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf export ROOT_SSH_DIR="/root/.ssh" export LOCALUSER_SSH_DIR="/home/localuser/.ssh" @@ -144,6 +146,7 @@ lldpd \ net-tools \ gpg \ molly-guard \ +fail2ban \ lshw \ sudo \ mailutils \ @@ -167,6 +170,9 @@ usermin \ iotop \ tuned \ cockpit \ +iptables \ +netfilter-persistent \ +iptables-persistent \ telnet \ postfix @@ -317,6 +323,14 @@ function secharden-ssh() { echo Now running "$FUNCNAME".... +iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set +iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP +ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set +ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP + +service netfilter-persistent save + + echo Completed running "$FUNCNAME" } diff --git a/ssh-audit_hardening.conf b/ssh-audit_hardening.conf new file mode 100644 index 0000000..150fc83 --- /dev/null +++ b/ssh-audit_hardening.conf @@ -0,0 +1,19 @@ +# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com +# hardening guide. + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr + +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + +HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + +RequiredRSASize 3072 + +CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 + +GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512- + +HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + +PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 \ No newline at end of file diff --git a/tsys-sshd-config b/tsys-sshd-config new file mode 100644 index 0000000..155ef4f --- /dev/null +++ b/tsys-sshd-config @@ -0,0 +1,13 @@ +Include /etc/ssh/sshd_config.d/*.conf +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +KbdInteractiveAuthentication no +X11Forwarding yes +PrintMotd no +PasswordAuthentication no +ChallengeResponseAuthentication no +Banner none +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server +UsePAM yes +PermitRootLogin prohibit-password \ No newline at end of file