could ssh-audit print desired config or add Generic guide documentation

[danie-dejager]

Can ssh-audit not print out the desired sshd config as an option or will it be possible to add a generic section to the guides? There are no guides for RHEL 9 based distros yet. I have some items I'm unsure how to resolve. Like:

• key algorithm to change (increase modulus size to 3072 bits or larger)
  I have updated my moduli from the commands given in the hardening guide.

[jtesta]

an ssh-audit not print out the desired sshd config as an option

This would require ssh-audit to be able to precisely identify the server's precise OpenSSH version. This isn't as easy as it sounds, as some distros back-port changes without bumping version numbers.

will it be possible to add a generic section to the guides?

I'm not sure what you mean here. The guides are very specific to each OS/platform otherwise the commands would fail.

I have some items I'm unsure how to resolve. Like: key algorithm to change (increase modulus size to 3072 bits or larger)

Sounds like this is a failure related to your RSA host keys. This would be fixed by re-generating them using ssh-keygen -t rsa -b 3072 -f /path/to/your/RSA/key

[danie-dejager]

@jtesta
I'm happy with the existing process and just thought if there could be a desired config for a distro as is currently done from the website then I could harden sites without access to the internet but then I can just as well get the commands before the hardening is applied.
I thought something like:

ssh-audit --Centos7-sshd_config or
ssh-audit --RHEL9-sshd_config
ssh-audit --RHEL9-ssh_config
and print out the same command you'd find on the web for those distros.

What I mean with a generic guide is that I have / had some older hosts where I compile openssh from source and replace the default package. When I apply the guide matching the OS (like Centos 7) I don't get a flawless audit but what you mentioned last, about regenerating the rsa key. Now that makes sense as I could not do that step for the host in question without reaching out to external parties connecting to the server first.

[jtesta]

I thought something like:

ssh-audit --Centos7-sshd_config or
ssh-audit --RHEL9-sshd_config
ssh-audit --RHEL9-ssh_config

Ahh, I see what you mean. Sure, that would be pretty straightforward to add, but that would also increase my ongoing maintenance costs. I already feel like I'm always slightly behind, so perhaps this won't get implemented for the time being.

However, if enough people want this feature, I'll certainly reconsider. Feel free to vote on this issue by adding a thumbs-up emoji to this comment.

[oam7575]

hello @jtesta , @daniejstriata

I have a draft implementation that prints out Server and Client configuration guides taken from Joes's website : https://www.ssh-audit.com/hardening_guides.html

The code is in a new branch here : https://github.com/oam7575/ssh-audit/tree/print_harden_guide
This branch makes use of my changes from getopts to Argparse in PR #304

I will not create a pull request for this branch until such time as the argparse changes are merged as any clean up work for PR #304 will likely have flow on effects for this branch.

Notes:
The code is deliberately as simple as I could make it and does not make use of the OutputBuffer code.
It intentionally uses raw print(' ') and print(f' ') to try and avoid any potential formatting or copy / paste issues.

I can appreciate that this may need to be adjusted if / when the time comes.

Example 1:
Requesting Server Config for Ubuntu 2204
python3 ssh-audit.py --print-config "Ubuntu 2404 Server"

Result:

Locating configuration for Ubuntu 2404 - Server

Re-generate the ED25519 and RSA keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Remove small Diffie-Hellman moduli

awk '\$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Enable the ED25519 and RSA keys

Enable the ED25519 and RSA HostKey directives in the /etc/ssh/sshd_config file:

echo -e "\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config

Restrict supported key exchange, cipher, and MAC algorithms

echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],gss-curve25519-sha256-,curve25519-sha256,[email protected],diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\nCiphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr\n\nMACs [email protected],[email protected],[email protected]\n\nRequiredRSASize 3072\n\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

Restart OpenSSH server

service ssh restart

Implement connection rate throttling

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP

Enable persistence of the iptables rules across server reboots:

DEBIAN_FRONTEND=noninteractive apt install -q -y netfilter-persistent iptables-persistent service netfilter-persistent save

Restart OpenSSH server

service ssh restart

Example 2:
Requesting Client config for Mint 22
python3 ssh-audit.py --print-config "Mint 22 Client"

Result:

Locating configuration for Mint 22 - Client

Run the following in a terminal to harden the SSH client for the local user:

mkdir -p -m 0700 ~/.ssh; echo -e "\nHost *\n Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr\n\n KexAlgorithms [email protected],gss-curve25519-sha256-,curve25519-sha256,[email protected],diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512\n\n MACs [email protected],[email protected],[email protected]\n\n RequiredRSASize 3072\n\n HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\n HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\n" >> ~/.ssh/config

Example 3:
Requesting an unknown server / client configuration
python3 ssh-audit.py --print-config "Minty 22 Client"

Result:

Error unknown varient : Minty 22 Client
For current, community developed and legacy guides
check the website : https://www.ssh-audit.com/hardening_guides.html

Ensure your configuration is "quote encapsulated"

Supported Server Configurations :
"Amazon 2023 Server"
"Debian Bookworm Server"
"Debian Bullseye Server"
"Rocky 9 Server"
"Ubuntu 2404 Server"
"Ubuntu 2204 Server"
"Ubuntu 2004 Server"

Supported Client Configurations :
"Amazon 2023 Client"
"Debian Bookworm Client"
"Mint 22 Client"
"Mint 21 Client"
"Mint 20 Client"
"Rocky 9 Client"
"Ubuntu 2404 Client"
"Ubuntu 2204 Client"
"Ubuntu 2004 Client"

[oam7575]

@daniejstriata @jtesta

PR #307

• Have run TOX tests locally.
• Have implemented a test file for the print_config module.
• quotes " " should not longer be needed.

Usage as per my previous comments - with out quotes

python3 ssh-audit.py --print-config Ubuntu 2204 Server

Result:

SSH-Audit Version : v3.4.0-dev

BGuides Last modified : 2024-10-01

Locating configuration for Ubuntu 2204 - Server

Re-generate the ED25519 and RSA keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Remove small Diffie-Hellman moduli

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Enable the ED25519 and RSA keys

Enable the ED25519 and RSA HostKey directives in the /etc/ssh/sshd_config file:

echo -e "\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key" >> /etc/ssh/sshd_config

Restrict supported key exchange, cipher, and MAC algorithms

echo -e "# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers [email protected],[email protected],aes256-ctr,aes192-ctr,[email protected],aes128-ctr\n\nMACs [email protected],[email protected],[email protected]\n\nHostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nCASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256\n\nPubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,[email protected],rsa-sha2-256" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

Restart OpenSSH server

service ssh restart

Implement connection rate throttling

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP

Enable persistence of the iptables rules across server reboots:

DEBIAN_FRONTEND=noninteractive apt install -q -y netfilter-persistent iptables-persistent service netfilter-persistent save

Restart OpenSSH server

service ssh restart

There is a whole lot of raw print statements : Eg print(r"some string with a ") : due to lots of double-quote, single-quote and slashes ( / \ ) in the strings.

I have run tox several times and made best effort to ensure correctness - however I have been known to make mistakes.

[oam7575]

A simple bash script to run the commands "auto magically" for all iterations and "known bad values"

This will print everything directly to console, along with a whole host of "this is not a valid server"

#!/bin/bash

for vendor in "Amazon" "Debian" "Rocky" "Mint" "Ubuntu" "NoOS"; do
    for os_ver in "2404" "2204" "2004" "1804" "2023" "22" "21" "20" "9" "Bookworm" "Bullseye" "NoVersion"; do
        for cs_type in "Client" "Server" "Mistake"; do
            STRING="$vendor $os_ver $cs_type"
            /bin/python3 ssh-audit.py "--print-config" $STRING
        done
    done
done