61 lines
2 KiB
Markdown
61 lines
2 KiB
Markdown
---
|
|
creation date: 2022-01-08
|
|
tags: [note,archlinux,linux,security,ssh,iptables]
|
|
---
|
|
|
|
## SSH
|
|
Disable weak ciphers by adding the following to the `sshd_config` file:
|
|
|
|
```shell
|
|
# Disable weak ciphers
|
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
|
|
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
|
|
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
|
|
```
|
|
|
|
Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes`
|
|
|
|
## iptables
|
|
|
|
Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
|
|
|
|
Ports `22` and `2222` will be monitored in this example.
|
|
|
|
Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables).
|
|
|
|
```shell
|
|
# IPv4
|
|
iptables -N sshguard
|
|
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
|
|
iptables-save > /etc/iptables/iptables.rules
|
|
|
|
# IPv6
|
|
ip6tables -N sshguard
|
|
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
|
|
ip6tables-save > /etc/iptables/ip6tables.rules
|
|
```
|
|
|
|
Start with `systemctl enable --now sshguard` or restart afterwards with `systemctl restart sshguard` to apply or `ExecStartPre=` above in sshguard's systemd file.
|
|
|
|
```shell
|
|
ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'
|
|
```
|
|
|
|
or create the following file and execute on every reboot with a certain, e.g. with
|
|
|
|
```shell
|
|
[Timer]
|
|
OnBootSec=1min
|
|
```
|
|
|
|
```shell
|
|
# IPv4
|
|
iptables -N sshguard && \
|
|
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
|
|
iptables-save > /etc/iptables/iptables.rules
|
|
|
|
# IPv6
|
|
ip6tables -N sshguard && \
|
|
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
|
|
ip6tables-save > /etc/iptables/ip6tables.rules
|
|
```
|