Hardening Automation

3 min read Data Protection & Compliance

Hardening Automation

Automate hardening processes to ensure consistent application across all systems and enable rapid deployment of security updates.

Create comprehensive hardening automation:

#!/bin/bash
# ssh-harden-auto.sh
# Automated SSH hardening script

set -euo pipefail

# Configuration variables
BACKUP_DIR="/etc/ssh/backups/$(date +%Y%m%d_%H%M%S)"
LOG_FILE="/var/log/ssh-hardening.log"
DRY_RUN=${1:-false}

# Logging function
log() {
    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE"
}

# Create backup
backup_configs() {
    log "Creating configuration backup..."
    mkdir -p "$BACKUP_DIR"
    cp -a /etc/ssh/* "$BACKUP_DIR/"
    log "Backup created at $BACKUP_DIR"
}

# Generate secure SSH host keys
regenerate_host_keys() {
    log "Regenerating SSH host keys..."
    
    # Remove existing keys
    rm -f /etc/ssh/ssh_host_*
    
    # Generate new keys with secure parameters
    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" < /dev/null
    ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" < /dev/null
    
    # Remove less secure key types
    rm -f /etc/ssh/ssh_host_dsa_key* /etc/ssh/ssh_host_ecdsa_key*
    
    log "New host keys generated"
}

# Apply hardened configuration
apply_sshd_config() {
    log "Applying hardened SSH configuration..."
    
    cat > /etc/ssh/sshd_config.hardened << 'EOF'
# Hardened SSH Configuration
# Generated by ssh-harden-auto.sh

# Network and Protocol
Port 22
AddressFamily inet
Protocol 2
ListenAddress 0.0.0.0

# Host Keys (only secure algorithms)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Ciphers and Algorithms
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

# Authentication
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 3
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# Security Features
AllowUsers alice bob charlie
X11Forwarding no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UsePrivilegeSeparation yes
PermitUserEnvironment no
ClientAliveInterval 300
ClientAliveCountMax 2
UseDNS no
PidFile /var/run/sshd.pid
MaxStartups 10:30:60
PermitTunnel no
ChrootDirectory none
VersionAddendum none

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

# Banner
Banner /etc/ssh/banner.txt
EOF

    # Create security banner
    cat > /etc/ssh/banner.txt << 'EOF'
************************************************************************
*                            SECURITY NOTICE                           *
*                                                                      *
* This system is for authorized use only. All activities are logged   *
* and monitored. Unauthorized access attempts will be investigated     *
* and may result in prosecution. By accessing this system, you        *
* consent to monitoring and recording of all activities.              *
************************************************************************
EOF

    if [ "$DRY_RUN" = "false" ]; then
        mv /etc/ssh/sshd_config.hardened /etc/ssh/sshd_config
        systemctl reload sshd
        log "Hardened configuration applied"
    else
        log "DRY RUN: Configuration would be applied"
    fi
}

# Main execution
main() {
    log "Starting SSH hardening process..."
    
    backup_configs
    regenerate_host_keys
    apply_sshd_config
    
    # Verify configuration
    if sshd -t; then
        log "Configuration validation passed"
    else
        log "ERROR: Configuration validation failed"
        exit 1
    fi
    
    log "SSH hardening completed successfully"
}

# Run main function
main

SSH hardening requires a systematic approach that addresses multiple security layers. From system-level controls to advanced authentication mechanisms and continuous monitoring, each component contributes to a robust security posture. Regular assessment and updates ensure hardening measures remain effective against evolving threats while supporting legitimate access requirements.## SSH Key Management

Effective SSH key management forms the foundation of secure remote access infrastructure. As organizations scale, managing hundreds or thousands of SSH keys becomes a critical security challenge. Poor key management practices lead to unauthorized access, compliance failures, and operational inefficiencies. This comprehensive guide explores enterprise-grade SSH key management strategies, from lifecycle management to automated provisioning systems that maintain security while enabling seamless access.