Fix the security and privacy of your Ubuntu 16.04, 16.10, and 17.04 web server access. Fuck global mass surveillance.
Special thanks to @stribika for writing a very similar guide two years ago.
From “man sshd_config”
allowable ciphers
Run “ssh -Q cipher” for validating usable “Ciphers” on clients and servers
Specifies the ciphers allowed. Multiple ciphers must be comma-separated. If the specified value begins with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replacing them.
allowable message authentication code algorithms
Run “ssh -Q mac” for validating usable “MACs” on clients and servers
Specifies the available MAC (message authentication code) algorithms. The MAC algorithm is used for data integrity protection. Multiple algorithms must be comma-separated. If the specified value begins with a ‘+’ character, then the specified algorithms will be appended to the default set instead of replacing them. The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended.
allowable key exchange algorithms
Run “ssh -Q kex” for validating usable “KexAlgorithms” on clients and servers
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. Alternately if the specified value begins with a ‘+’ character, then the specified methods will be appended to the default set instead of replacing them.
allowable server key algorithms
Run “ssh -Q key” for validating usable “HostKeyAlgorithms” on servers
Specifies the host key algorithms that the server offers.
allowable key authentication types
Run “ssh -Q key” for validating usable “HostbasedAcceptedKeyTypes” on servers
Specifies the key types that will be accepted for hostbased authentication as a comma-separated pattern list. Alternately if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them.
allowable public key authentication types
Run “ssh -Q key” for validating usable “PubkeyAcceptedKeyTypes” on servers
Specifies the key types that will be accepted for public key authentication as a comma-separated pattern list. Alternately if the specified value begins with a ‘+’ character, then the specified key types will be appended to the default set instead of replacing them.
Fix your server keys
cd /etc/ssh
sudo rm ssh_host_*key*
sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
Amending sshd
sudo vim /etc/ssh/sshd_config
Only use the ed25519 key (delete the others):
HostKey /etc/ssh/ssh_host_ed25519_key
Add these lines (tailor them down based on what you know your client and server have available (see above for “ssh -Q x” options)):
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
Restart sshd:
sudo service ssh restart
ssh over Tor
Fix metadata leaks by using Tor as your second end-to-end encrypted tunnel if you don’t mind a mildly delayed CLI due to added latency.
Install Tor by first fixing apt sources and adding Tor’s repo:
sudo vim /etc/apt/sources.list
Delete all lines and use these (replace “zesty” if needed):
deb https://mirrors.wikimedia.org/ubuntu/ zesty main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ zesty-updates main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ zesty-backports main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ zesty-security main restricted universe multiverse
deb https://deb.torproject.org/torproject.org zesty main
Install Tor’s signing key:
sudo gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
Update and install Tor:
sudo apt-get update && sudo apt-get install tor deb.torproject.org-keyring -y
Configure Tor for an onion:
sudo vim /etc/tor/torrc
Delete all lines and add these:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
Restart Tor:
sudo service tor restart
Find your new dot-onion address:
sudo cat /var/lib/tor/hidden_service/hostname
Configure sshd to only listen via Tor (and not exposed on the clear net):
sudo vim /etc/ssh/sshd_config
Add (or change) this line:
ListenAddress 127.0.0.1:22
Restart sshd:
sudo service ssh restart
Firewall everything
Presuming you are only hosting a web server over ports 80 and 443:
sudo ufw allow 80/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 80/tcp && sudo ufw allow out 123/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose
80 for http
443 for https
53 out for DNS
123 out for NTP
9050 out for Tor
Deny everything else.
client side for Tor
sudo vim /etc/ssh/ssh_config
Add these lines under “Host *” (tailor the Ciphers, MACs, and Kex down based on what you know your client and server have available (see above for “ssh -Q x” options)):
UseRoaming no
proxyCommand ncat -v --proxy localhost:9050 --proxy-type socks5 %h %p
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Generate client keys:
ssh-keygen -t ed25519 -o -a 100
Restart ssh:
sudo service ssh restart
Send the client public key to the server:
ssh-copy-id yawnbox@2vytis5xf5djnaoo.onion
Connect to the server with debug to verify hardened crypto:
ssh -v yawnbox@2vytis5xf5djnaoo.onion
You will find this info buried:
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug2: key: /home/yawnbox/.ssh/id_rsa ((nil))
debug2: key: /home/yawnbox/.ssh/id_dsa ((nil))
debug2: key: /home/yawnbox/.ssh/id_ecdsa ((nil))
debug2: key: /home/yawnbox/.ssh/id_ed25519 (0x55zg8nba8f20)
Cheers
bonus server config script
#!/bin/bash
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y
sudo apt-get install tor openssh-server -y
sudo apt-get autoremove -y
sudo apt-get autoclean
cd /etc/ssh
sudo rm ssh_host_*key*
sudo ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" > /etc/ssh/sshd_config
sudo echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config
sudo echo "SyslogFacility AUTH" >> /etc/ssh/sshd_config
sudo echo "LogLevel INFO" >> /etc/ssh/sshd_config
sudo echo "LoginGraceTime 30" >> /etc/ssh/sshd_config
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config
sudo echo "StrictModes yes" >> /etc/ssh/sshd_config
sudo echo "MaxAuthTries 5" >> /etc/ssh/sshd_config
sudo echo "MaxSessions 5" >> /etc/ssh/sshd_config
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
sudo echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
sudo echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
sudo echo "UsePAM yes" >> /etc/ssh/sshd_config
sudo echo "X11Forwarding no" >> /etc/ssh/sshd_config
sudo echo "PrintMotd no" >> /etc/ssh/sshd_config
sudo echo "AcceptEnv LANG LC_*" >> /etc/ssh/sshd_config
sudo echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr" >> /etc/ssh/sshd_config
sudo echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> /home/cs/test_sshd
sudo echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config
sudo echo "HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config
sudo echo "HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config
sudo echo "PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519" >> /etc/ssh/sshd_config
sudo service ssh restart
sudo mv /etc/apt/sources.list /etc/apt/sources1.bak
sudo touch /etc/apt/sources.list
sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb https://deb.torproject.org/torproject.org xenial main" >> /etc/apt/sources.list
sudo torify gpg --keyserver keys.gnupg.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
sudo torify gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt-get update
sudo apt-get install tor deb.torproject.org-keyring apt-transport-tor -y
sudo mv /etc/apt/sources.list /etc/apt/sources2.bak
sudo touch /etc/apt/sources.list
sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse" >> /etc/apt/sources.list
sudo echo "deb tor+https://deb.torproject.org/torproject.org xenial main" >> /etc/apt/sources.list
sudo echo "capability dac_read_search," >> /etc/apparmor.d/abstractions/tor
sudo /etc/init.d/apparmor reload
sudo mv /etc/tor/torrc /etc/tor/torrc.bak
sudo touch /etc/tor/torrc
sudo echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
sudo echo "HiddenServicePort 22 127.0.0.1:22" >> /etc/tor/torrc
sudo service tor restart
sudo touch ~/onion.txt
sudo cat /var/lib/tor/hidden_service/hostname >> ~/onion.txt
sudo echo "ListenAddress 127.0.0.1:22" >> /etc/ssh/sshd_config
sudo service ssh restart
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow out 22/tcp
sudo ufw allow out 53/udp
sudo ufw allow out 80/tcp
sudo ufw allow out 123/udp
sudo ufw allow out 443/tcp
sudo ufw allow out 9050/tcp
sudo ufw deny out to any
sudo ufw enable
sudo ufw status verbose
sudo cat ~/onion.txt