CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

so-ssh-harden fixes

Browse Source 
* Change when script is run during setup
* Add newlines to sshd config for legibility
This commit is contained in:
William Wernert
2021-03-23 14:06:10 -04:00
parent 197693df4e
commit 23cd006724
3 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
salt/common/tools/sbin/so-ssh-harden
View File

@@ -38,8 +38,12 @@ print_msg() {
fi
}
# Add newline to ssh for legibility
echo "" >> /etc/ssh/sshd_config
if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
if ! [[ $quiet ]]; then
print_sshd_t "ciphers" "After"
echo ""
@@ -51,6 +55,7 @@ fi
if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
if ! [[ $quiet ]]; then
print_sshd_t "kexalgorithms" "After"
echo ""
@@ -62,6 +67,7 @@ fi
if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
if ! [[ $quiet ]]; then
print_sshd_t "macs" "After"
echo ""
@@ -73,6 +79,7 @@ fi
if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
if ! [[ $quiet ]]; then
print_sshd_t "hostkeyalgorithms" "After"
echo ""
@@ -90,4 +97,3 @@ fi
{% if grains['os'] != 'CentOS' %}
print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
{% endif %}

2
setup/so-functions
View File

@@ -1436,8 +1436,6 @@ install_cleanup() {
info "Removing so-setup permission entry from sudoers file"
sed -i '/so-setup/d' /etc/sudoers
fi
so-ssh-harden -q
}
import_registry_docker() {

1
setup/so-setup
View File

@@ -888,6 +888,7 @@ set_redirect >> $setup_log 2>&1
set_progress_str 85 'Applying finishing touches'
filter_unused_nics >> $setup_log 2>&1
network_setup >> $setup_log 2>&1
so-ssh-harden -q >> $setup_log 2>&1
if [[ $is_manager || $is_import ]]; then
set_progress_str 87 'Adding user to SOC'