2 KiB
2 KiB
creation date | tags | ||||||
---|---|---|---|---|---|---|---|
2022-01-08 |
|
SSH
Disable weak ciphers by adding the following to the sshd_config
file:
# Disable weak ciphers
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
Be sure to disable password auth (PasswordAuthentication no
) and set PermitRootLogin yes
iptables
Install sshguard
. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
Ports 22
and 2222
will be monitored in this example.
Also see here.
# IPv4
iptables -N sshguard
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
iptables-save > /etc/iptables/iptables.rules
# IPv6
ip6tables -N sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
ip6tables-save > /etc/iptables/ip6tables.rules
Start with systemctl enable --now sshguard
or restart afterwards with systemctl restart sshguard
to apply or ExecStartPre=
above in sshguard's systemd file.
ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'
or create the following file and execute on every reboot with a certain, e.g. with
[Timer]
OnBootSec=1min
# IPv4
iptables -N sshguard && \
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
iptables-save > /etc/iptables/iptables.rules
# IPv6
ip6tables -N sshguard && \
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
ip6tables-save > /etc/iptables/ip6tables.rules