Frank ℤisko - Debian: SSH-Config

Dokumentation einer sicheren SSH-Konfiguration. Fehler, Verbesserungen oder Anmerkungen können mir gern per Email geschickt werden.

Vorraussetzungen

Halbwegs sicherer Umgang mit einer Linux Konsole / Terminal.
Grundkenntnisse mit ssh.

local ssh

ssh -o IdentitiesOnly=yes netuser@nethost
- Wenn ssh nur den Key für den Login nehmen will, dann kann dies helfen, um sich mit dem Passwort zu authentifizieren.
ssh-copy-id -i ~/.ssh/id_ed25519.pub netuser@nethost
ssh-copy-id -i ~/.ssh/id_ed25519.pub -o IdentitiesOnly=yes netuser@nethost

# Configure ssh client.

THISUSER="frank"

su - ${THISUSER}
ssh-keygen -t ed25519 -b 8192 -C "${USER}@${HOSTNAME}" -f ${HOME}/.ssh/id_ed25519

LOCALSSHKEY=~/.ssh/id_ed25519
REMOTENAMESHORT=foo
REMOTENAME=foohostname
REMOTEUSER=foobar
cat >> ~/.ssh/config <<__EOF__
Host ${REMOTENAMESHORT}
    HostName ${REMOTENAME}
    User ${REMOTEUSER}
    UseRoaming no
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    PubkeyAuthentication yes
    RekeyLimit 64M
    KexAlgorithms curve25519-sha256@libssh.org
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
    Ciphers chacha20-poly1305@openssh.com
    MACs hmac-sha2-512-etm@openssh.com
    IdentityFile ${LOCALSSHKEY}
    IdentitiesOnly yes
    VisualHostKey yes
__EOF__

chmod 700 ${HOME}/.ssh
chmod 600 ${HOME}/.ssh/*

server ssh

systemctl status sshd
#systemctl enable sshd
#systemctl start sshd

# Show open port 22 connections.
ss -tulpn | grep ':22'

### Hardening SSH server ###
# Backup ssh server config.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#sshd -T

# #PermitRootLogin prohibit-password
sed -i 's|#PermitRootLogin.*|PermitRootLogin no|' /etc/ssh/sshd_config

# #MaxAuthTries 6
sed -i 's|#MaxAuthTries.*|MaxAuthTries 3|' /etc/ssh/sshd_config

# #PubkeyAuthentication yes
sed -i 's|#PubkeyAuthentication.*|PubkeyAuthentication yes|' /etc/ssh/sshd_config

# #IgnoreRhosts yes
sed -i 's|#IgnoreRhosts.*|IgnoreRhosts yes|' /etc/ssh/sshd_config

# #PasswordAuthentication yes
sed -i 's|#PasswordAuthentication.*|PasswordAuthentication no|' /etc/ssh/sshd_config

# #PermitEmptyPasswords no
sed -i 's|#PermitEmptyPasswords.*|PermitEmptyPasswords no|' /etc/ssh/sshd_config

# ...

# X11Forwarding yes
sed -i 's|X11Forwarding.*yes.*|X11Forwarding no|' /etc/ssh/sshd_config

# #UseDNS no
sed -i 's|#UseDNS.*|UseDNS yes|' /etc/ssh/sshd_config

#echo "Keep in mind that a logon with password is not allowed any more!"
    
cat /etc/ssh/sshd_config


cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
#   ForwardAgent no
#   ForwardX11 no
sed -i 's|#   ForwardX11 .*|    ForwardX11 no|' /etc/ssh/ssh_config
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
sed -i 's|#   PasswordAuthentication .*|    PasswordAuthentication no|' /etc/ssh/ssh_config
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
sed -i 's|#   Protocol .*|    Protocol 2|' /etc/ssh/ssh_config
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#sed -i 's|#   Ciphers .*|    Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes256-gcm@openssh.com|' /etc/ssh/ssh_config
sed -i 's|#   Ciphers .*|    Ciphers chacha20-poly1305@openssh.com|' /etc/ssh/ssh_config
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#sed -i 's|#   MACs.*|    MACs mac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256|' /etc/ssh/ssh_config
sed -i 's|#   MACs .*|    MACs mac-sha2-512-etm@openssh.com|' /etc/ssh/ssh_config
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
sed -i 's|#   VisualHostKey .*|    VisualHostKey yes|' /etc/ssh/ssh_config
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
sed -i 's|#   RekeyLimit .*|    RekeyLimit 64M|' /etc/ssh/ssh_config

sed -i 's|    GSSAPIAuthentication .*|    GSSAPIAuthentication no|' /etc/ssh/ssh_config
echo "    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519" >> /etc/ssh/ssh_config
echo "    KexAlgorithms curve25519-sha256@libssh.org" >> /etc/ssh/ssh_config

cat /etc/ssh/ssh_config

# Restart    
systemctl restart sshd

# Check
sshd -T

Fail2Ban

cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.conf.bak 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak 
systemctl restart fail2ban

ssh tunnel

#ssh -L local_port:remote_address:remote_port username@server.com
ssh -L 8888:192.168.0.110:1234 bob@ssh.youroffice.com
ssh alice@10.40.1.110 -L 8888:10.40.1.110:443
ssh alice@10.40.1.104 -L 8888:127.0.0.1:443

ssh -L 8888:127.0.0.1 alice@10.40.1.110

# Connect the server to the local machine
# ssh –f –N –T –R 2210:localhost:22 username@yourMachine.com
  ssh –f –N –T –R 2210:localhost:22 alice@10.40.1.110
  ssh –R 2210:sslocalhost:22 alice@10.40.1.110

Quellen

[https://www.ssh.com/ssh/sshd_config/](https://www.ssh.com/ssh/sshd_config/]
https://www.thomas-krenn.com/de/wiki/SSH_Login_unter_Debian_mit_fail2ban_absichern
https://www.howtogeek.com/168145/how-to-use-ssh-tunneling/