Tag Archives: red hat

Harden SSH for AlmaLinux 9 (RHEL, Fedora)

Posted on by
Reply

These steps are taken from the following link. They have other guides for hardening Ubuntu, Debian etc.

https://www.sshaudit.com/hardening_guides.html#rocky9

You will need to become the root user, use either su – or sudo -i

First we need to regenerate the RSA and ED25519 keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_rsa_key -N ""

Next, remove the small Diffie-Hellman moduli. The moduli file contains prime numbers and generators. Removing the smaller numbers should help increase security as it makes attempting to factor the private keys harder.

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

We can now specify which key exchange, ciphers, and algorithms to use.

Add the following to “/etc/crypto-policies/back-ends/opensshserver.config”

# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
# hardening guide.
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

RequiredRSASize 3072

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-

HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Finally, restart the ssh server

systemctl restart sshd

Other helpful links

https://www.ssh.com/academy

https://www.redhat.com/en/blog/primes-parameters-and-moduli

https://security.stackexchange.com/questions/79043/is-it-considered-worth-it-to-replace-opensshs-moduli-file

How To change the Hostname in CentOS 7

Posted on by
Reply

Check current hostname with the hostname command.

hostname

Change hostname with hostnamectl

hostnamectl set-hostname newhostname

 

Example:

Changing hostname from “localhost” to “newhost”.

[root@localhost ~]# hostname
localhost
[root@localhost ~]# hostnamectl set-hostname newhost
[root@localhost ~]# hostname
newhost
[root@localhost ~]#

 

 

How to set a static ip address on CentOS, Fedora, or Red Hat Linux

Posted on by
Reply

Open up the following file with your favorite text editor. Change eth0 to the interface you need, like “wlan0” or “eth1”.

 vi /etc/sysconfig/network-scripts/ifcfg-eth0

The file should look something like the following.

DEVICE=eth0
HWADDR=0A:2G:F3:56:66:4B
TYPE=Ethernet
UUID=aeh9421c-6a62-712c-886d-347813g8d1dh
ONBOOT=no
NM_CONTROLLED=yes
BOOTPROTO=dhcp

To set the static IP address change “BOOTPROTO=dhcp” to “BOOTPROTO=static” and add the following to the end of the file. If you want/need the interface to come up when the computer boots up then be sure to change “ONBOOT=no” to “ONBOOT=yes”.

BROADCAST=192.168.1.255
DNS1=8.8.8.8
GATEWAY=192.168.1.1
IPADDR=192.168.1.110
NETMASK=255.255.255.0

Also, on some newer versions of CentOS you may need to add NM_DISABLED=no

So your file should now look like this.

DEVICE=eth0
HWADDR=0A:2G:F3:56:66:4B
TYPE=Ethernet
UUID=aeh9421c-6a62-712c-886d-347813g8d1dh
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
BROADCAST=192.168.1.255
DNS1=8.8.8.8
GATEWAY=192.168.1.1
IPADDR=192.168.1.110
NETMASK=255.255.255.0

Save the file and restart networking.

service network restart

Finally, check you IP address with ifconfig.

root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 0A:2G:F3:56:66:4B  
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0