Bug#804608: freedombox-setup: [PATCH] Configure ssh server

Mon, 09 Nov 2015 13:19:22 -0800 

Package: freedombox-setup
Severity: wishlist

It seems odd sending a patch as a bug report, but freedombox-discuss just
gives me "550 Administrative prohibition".

This patch adds some extra hardening to the ssh server settings, in
accordance with the recommendations on bettercrypto.org.

Possibly /bin/bash could be /bin/sh


---
 setup.d/15_ssh_server | 36 ++++++++++++++++++++++++++++++++++++
  1 file changed, 36 insertions(+)
   create mode 100755 setup.d/15_ssh_server

diff --git a/setup.d/15_ssh_server b/setup.d/15_ssh_server
new file mode 100755
index 0000000..0685a95
--- /dev/null
+++ b/setup.d/15_ssh_server
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script hardens the ssh server settings, using recommendations
+# from bettercrypto.org
+
+SSH_CIPHERS="chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes128-ctr"
+SSH_MACS="hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+SSH_KEX="curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1"
+
+sed -i 's/Protocol .*/Protocol 2/g' /etc/ssh/sshd_config
+sed -i 's/StrictModes.*/StrictModes yes/g' /etc/ssh/sshd_config
+sed -i 's/PermitEmptyPasswords.*/PermitEmptyPasswords no/g' 
/etc/ssh/sshd_config
+sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
+sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
+sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
+if ! grep -q '#HostKey' /etc/ssh/sshd_config; then
+       sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey 
/etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
+       sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey 
/etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
+fi
+if grep -q 'Ciphers' /etc/ssh/sshd_config; then
+    sed -i "s|Ciphers.*|Ciphers ${SSH_CIPHERS}|g" /etc/ssh/sshd_config
+else
+    echo "Ciphers ${SSH_CIPHERS}" >> /etc/ssh/sshd_config
+fi
+if grep -q 'MACs' /etc/ssh/sshd_config; then
+    sed -i "s|MACs.*|MACs ${SSH_MACS}|g" /etc/ssh/sshd_config
+else
+    echo "MACs ${SSH_MACS}" >> /etc/ssh/sshd_config
+fi
+if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
+    sed -i "s|KexAlgorithms.*|KexAlgorithms ${SSH_KEX}|g" /etc/ssh/sshd_config
+else
+    echo "KexAlgorithms ${SSH_KEX}" >> /etc/ssh/sshd_config
+fi
+
+echo "Done configuring ssh server."
--
2.4.1


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to