#!/bin/bash # This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices. # Its main purpose is to enhance the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and reducing potential attack vectors. # The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes. # These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection. # These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh # Usage: # To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`. # After that, execute it with root privileges using: `sudo ./secure_ssh.sh`. # The script will automatically apply the recommended configuration changes and restart the SSH service. # Variables SSHD_CONFIG="/etc/ssh/sshd_config" # Backup the old configuration cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak" # Modify the sshd_config file cat < "$SSHD_CONFIG" # Mozilla SSH Security Recommendations Protocol 2 # Enable only secure ciphers Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr # Enable only secure key exchange algorithms KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # Enable only secure MAC algorithms MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512 # Disable password authentication for stronger security PasswordAuthentication no # Disable old host keys HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key # Restrict root access PermitRootLogin no # Strict connection policy MaxAuthTries 3 LoginGraceTime 30 EOL # Restart the SSH service systemctl restart sshd echo "SSH configuration has been updated according to Mozilla's security recommendations."