Last active
September 7, 2025 20:43
-
-
Save theendofline/a2ff0761a0bddc78228fc0f5d636bf2e to your computer and use it in GitHub Desktop.
Harden Ubuntu 24.04 Server with the ssh audit recommendations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SSH hardening (run as root). From https://www.sshaudit.com/hardening_guides.html#ubuntu_24_04_lts | |
| #!/bin/bash | |
| set -eux pipefail | |
| # Re-generate the ED25519 and RSA keys | |
| sudo rm -f /etc/ssh/ssh_host_* | |
| sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" | |
| sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" | |
| # Remove small Diffie-Hellman moduli | |
| sudo awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe || true | |
| sudo mv /etc/ssh/moduli.safe /etc/ssh/moduli || true | |
| # Restrict supported key exchange, cipher, and MAC algorithms (as per sshaudit Ubuntu 24.04 guide) | |
| sudo tee /etc/ssh/sshd_config.d/ssh-audit_hardening.conf >/dev/null << 'EOF_CRYPTO' | |
| # Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com hardening guide. | |
| KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,gss-group16-sha512-,diffie-hellman-group16-sha512 | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr | |
| MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com | |
| RequiredRSASize 3072 | |
| HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 | |
| CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 | |
| GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512- | |
| HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 | |
| PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256 | |
| EOF_CRYPTO | |
| # Restart OpenSSH server | |
| sudo service ssh restart | |
| # Implement connection rate throttling | |
| sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set || true | |
| sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP || true | |
| sudo ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set || true | |
| sudo ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP || true | |
| sudo DEBIAN_FRONTEND=noninteractive apt install -q -y netfilter-persistent iptables-persistent || true | |
| sudo service netfilter-persistent save || true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment