Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/juliusbairaktaris/harden-windows-ssh
Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security
https://github.com/juliusbairaktaris/harden-windows-ssh
1st-party-security encryption enterprise-security harden operation-system-security ssh ssh-client ssh-server windows windows11
Last synced: about 1 month ago
JSON representation
Harden the OpenSSH implementation in Windows 10/11 with the help of methods from Positron Security
- Host: GitHub
- URL: https://github.com/juliusbairaktaris/harden-windows-ssh
- Owner: JuliusBairaktaris
- License: mit
- Created: 2024-03-02T19:56:10.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2024-04-18T16:13:07.000Z (7 months ago)
- Last Synced: 2024-10-11T14:24:17.785Z (about 1 month ago)
- Topics: 1st-party-security, encryption, enterprise-security, harden, operation-system-security, ssh, ssh-client, ssh-server, windows, windows11
- Language: PowerShell
- Homepage:
- Size: 460 KB
- Stars: 8
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Harden-Windows-SSH
This repository provides a PowerShell script to harden the OpenSSH Server configuration on Windows, making it more secure and resistant to known vulnerabilities like the [Terrapin attack](https://nvd.nist.gov/vuln/detail/CVE-2023-48795) (CVE-2023-48795). The hardening measures are based on recommendations from [SSH-Audit](https://www.sshaudit.com/).
## Applied configuration
```
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected]
HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
CASignatureAlgorithms [email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256
HostbasedAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
PubkeyAcceptedAlgorithms [email protected],[email protected],[email protected],rsa-sha2-512,[email protected],rsa-sha2-256
```
## Install latest OpenSSH version for Windows
It is strongly recommended to upgrade to the beta version of the OpenSSH implementation for Windows using winget, which patches the Terrapin vulnerability (CVE-2023-48795).
```
winget install -e --id Microsoft.OpenSSH.Beta
```
To test which OpenSSH version you are currently running, run in a terminal:
```
ssh -V
```
## How to harden the OpenSSH implementation
Execute:
```powershell
irm 'https://raw.githubusercontent.com/JuliusBairaktaris/Harden-Windows-SSH/main/ConfigureOpenSSH.ps1' | iex
```
[In Windows, the OpenSSH Client (ssh) reads configuration data from a configuration file in the following order](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration):
1. By launching ssh.exe with the -F parameter, specifying a path to a configuration file and an entry name from that file.
2. A user's configuration file at %userprofile%\.ssh\config.
3. The system-wide configuration file at %programdata%\ssh\ssh_config.
#### Optional overrides
- `hmac-sha2-256`: This MAC is necessary to connect to the default SSH configuration of OpenWRT, Debian, DietPi, and other similar systems.
## Security Scores using [SSH-Audit](https://www.sshaudit.com/)
Default OpenSSH v8.X Configuration:
Hardened OpenSSH v8.X Client Configuration:
Default OpenSSH v8.X Server Configuration:
Hardened OpenSSH v8.X Server Configuration:
## Further hardening recommendations
To further secure Windows, check out the great [Harden-Windows-Security](https://github.com/HotCakeX/Harden-Windows-Security) module by [HotCakeX](https://github.com/HotCakeX/Harden-Windows-Security).