From 85cda756b8715a6f59828bc87b805f0d52c0cbd8 Mon Sep 17 00:00:00 2001 From: ahuston-0 Date: Fri, 29 Dec 2023 11:33:17 -0500 Subject: [PATCH] Add hardened SSH config Signed-off-by: ahuston-0 --- systems/configuration.nix | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/systems/configuration.nix b/systems/configuration.nix index 0b2df0c..a373d56 100644 --- a/systems/configuration.nix +++ b/systems/configuration.nix @@ -32,6 +32,56 @@ settings = { PermitRootLogin = "no"; PasswordAuthentication = false; + # below config options from https://sysadministrivia.com/news/hardening-ssh-security + KexAlgorithms = [ + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + MACs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + # below is a modified default to include ecdsa (as per this https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67) + hostKeys = [ + { + bits = 4096; + path = "/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + } + { + path = "/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/etc/ssh/ssh_host_ecdsa_key"; + type = "ecdsa"; + } + ]; + + # below config options from Lynis recommendations + ClientAliveCountMax =2; + Compression = "NO"; + MaxAuthTries = 3; + MaxSessions = 2; + # Commenting below as I'm not sure if this will break things + # TCPKeepAlive = "NO"; + # UseDNS = "NO"; + + # below config options from https://linux-audit.com/audit-and-harden-your-ssh-configuration/ + IgnoreRhosts = "yes"; + PermitEmptyPasswords = "no"; }; }; };