lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0b22289e5682cbce20cf582e3b2cda75eb58374c
scripts-admin-debian/miscellaneous/secure_ssh.sh
Philippe Favre a6d6c8278c Ajouter miscellaneous/secure_ssh.sh
2024-10-31 21:01:42 +01:00

50 lines
2.1 KiB
Bash
Raw Blame History

#!/bin/bash
# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# Its main purpose is to enhance the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and reducing potential attack vectors.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
# Usage:
# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# The script will automatically apply the recommended configuration changes and restart the SSH service.
# Variables
SSHD_CONFIG="/etc/ssh/sshd_config"
# Backup the old configuration
cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak"
# Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG"
# Mozilla SSH Security Recommendations
Protocol 2
# Enable only secure ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Enable only secure key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Enable only secure MAC algorithms
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
# Disable password authentication for stronger security
PasswordAuthentication no
# Disable old host keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Restrict root access
PermitRootLogin no
# Strict connection policy
MaxAuthTries 3
LoginGraceTime 30
EOL
# Restart the SSH service
systemctl restart sshd
echo "SSH configuration has been updated according to Mozilla's security recommendations."
Reference in New Issue View Git Blame Copy Permalink