These steps are taken from the following link. They have other guides for hardening Ubuntu, Debian etc. <\/p>\n\n\n\n
https:\/\/www.sshaudit.com\/hardening_guides.html#rocky9<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n You will need to become the root user, use either su – or sudo -i<\/em><\/p>\n\n\n\n First we need to regenerate the RSA and ED25519 keys<\/p>\n\n\n\n Next, remove the small Diffie-Hellman moduli. The moduli file contains prime numbers and generators. Removing the smaller numbers should help increase security as it makes attempting to factor the private keys harder.<\/p>\n\n\n\n We can now specify which key exchange, ciphers, and algorithms to use.<\/p>\n\n\n\n Add the following to “\/etc\/crypto-policies\/back-ends\/opensshserver.config”<\/p>\n\n\n\n Finally, restart the ssh server<\/p>\n\n\n\n Other helpful links<\/p>\n\n\n\n https:\/\/www.ssh.com\/academy<\/a><\/p>\n\n\n\n https:\/\/www.redhat.com\/en\/blog\/primes-parameters-and-moduli<\/a><\/p>\n\n\n\n https:\/\/security.stackexchange.com\/questions\/79043\/is-it-considered-worth-it-to-replace-opensshs-moduli-file<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" These steps are taken from the following link. They have other guides for hardening Ubuntu, Debian etc. https:\/\/www.sshaudit.com\/hardening_guides.html#rocky9 You will need to become the root user, use either su – or sudo -i First we need to regenerate the RSA … Continue reading rm \/etc\/ssh\/ssh_host_*
ssh-keygen -t rsa -b 4096 -f \/etc\/ssh\/ssh_host_rsa_key -N \"\"
ssh-keygen -t ed25519 -f \/etc\/ssh\/ssh_host_rsa_key -N \"\"<\/code><\/pre>\n\n\n\nawk '$5 >= 3071' \/etc\/ssh\/moduli > \/etc\/ssh\/moduli.safe
mv \/etc\/ssh\/moduli.safe \/etc\/ssh\/moduli<\/code><\/pre>\n\n\n\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nKexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\n\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\n\nHostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nRequiredRSASize 3072\n\nCASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256\n\nGSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-\n\nHostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256\n\nPubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256<\/code><\/pre>\n\n\n\nsystemctl restart sshd<\/pre>\n\n\n\n