Installing the SSH Audit tool:<\/p>\n
sudo snap install ssh-audit\r\n\r\nOR\r\n\r\npip3 install ssh-audit\r\n\r\nOR\r\n\r\ndocker pull positronsecurity\/ssh-audit<\/pre>\nAuditing SSH hosts:<\/p>\n
ssh-audit example.com\r\nssh-audit 10.10.10.10\r\nssh-audit -T servers.txt<\/pre>\nList and run an audit against a host:<\/p>\n
ssh-audit -L\r\nssh-audit -P 'Hardened Ubuntu Server 20.04 LTS (version 1)' 10.10.10.10<\/pre>\n
\nHardening Ubuntu 20.04 SSH:<\/p>\n
rm \/etc\/ssh\/ssh_host_*\r\nssh-keygen -t rsa -b 4096 -f \/etc\/ssh\/ssh_host_rsa_key -N \"\"\r\nssh-keygen -t ed25519 -f \/etc\/ssh\/ssh_host_ed25519_key -N\r\nawk '$5 >= 3071' \/etc\/ssh\/moduli > \/etc\/ssh\/moduli.safe\r\nmv \/etc\/ssh\/moduli.safe \/etc\/ssh\/moduli\r\nsed -i 's\/^\\#HostKey \\\/etc\\\/ssh\\\/ssh_host_\\(rsa\\|ed25519\\)_key$\/HostKey \\\/etc\\\/ssh\\\/ssh_host_\\1_key\/g' \/etc\/ssh\/sshd_config\r\necho -e \"\\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\\n# hardening guide.\\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\\nHostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com\" > \/etc\/ssh\/sshd_config.d\/ssh-audit_hardening.conf\r\nsystemctl restart ssh<\/pre>\nCheck the result of the hardened host running another audit against it.<\/p>\n","protected":false},"excerpt":{"rendered":"
Installing the SSH Audit tool: sudo snap install ssh-audit OR pip3 install ssh-audit OR docker […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-2214","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2214"}],"version-history":[{"count":2,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2214\/revisions"}],"predecessor-version":[{"id":5482,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2214\/revisions\/5482"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}