diff --git a/miscellaneous/secure_ssh.sh b/miscellaneous/secure_ssh.sh new file mode 100644 index 0000000..dae2420 --- /dev/null +++ b/miscellaneous/secure_ssh.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices. +# Its main purpose is to enhance the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and reducing potential attack vectors. +# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes. +# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection. +# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh + +# Usage: +# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`. +# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`. +# The script will automatically apply the recommended configuration changes and restart the SSH service. + +# Variables +SSHD_CONFIG="/etc/ssh/sshd_config" + +# Backup the old configuration +cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak" + +# Modify the sshd_config file +cat < "$SSHD_CONFIG" +# Mozilla SSH Security Recommendations +Protocol 2 +# Enable only secure ciphers +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +# Enable only secure key exchange algorithms +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +# Enable only secure MAC algorithms +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 + +# Disable password authentication for stronger security +PasswordAuthentication no + +# Disable old host keys +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key + +# Restrict root access +PermitRootLogin no + +# Strict connection policy +MaxAuthTries 3 +LoginGraceTime 30 +EOL + +# Restart the SSH service +systemctl restart sshd + +echo "SSH configuration has been updated according to Mozilla's security recommendations."