ssh-audit icon indicating copy to clipboard operation
ssh-audit copied to clipboard
verified publisher icon jtesta

Add CoreOS/Flatcar and other ignition/butane based OS hardening guides

Open vic1707 opened this issue 4 months ago • 5 comments

I'd love to see guides breaking down hardening of these systems using ignition or butane snippets so the servers are already hardened when installing 😁

vic1707 avatar Aug 08 '25 18:08 vic1707

Managed to harden my server to abide the default audit of upcoming 3.4.0-dev using

    - path: /etc/ssh/sshd_config.d/35-hardening.conf
      mode: 0400
      contents:
        inline: |
          Port {{ .SSH_PORT }}
          PermitRootLogin no              # Disallow root SSH logins
          PasswordAuthentication no       # Force key-based auth
          AddressFamily inet              # Binds SSH to IPv4 only
          MaxAuthTries 6                  # Includes ssh-key tries
          MaxSessions 2                   # Max connections per IP
          MaxStartups 2                   # Maximum incoming connection attempts
          LogLevel VERBOSE

          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key
          KexAlgorithms mlkem768x25519-sha256,[email protected]
          HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
          MACs [email protected],[email protected],[email protected]
          CASignatureAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          HostbasedAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
          RekeyLimit 512M 1h
          GSSAPIAuthentication no
          GSSAPIKeyExchange no
          RequiredRSASize 3072
          KbdInteractiveAuthentication no
          Compression no

I believe only the second part had to do with passing the audit, note the 35- is important so it loads before the 40- file which sets all the other algorithms, I couldn't find a way to overwrite it so I made my file come first.

vic1707 avatar Aug 20 '25 18:08 vic1707

Thanks for contributing this guide! Could you please create a hardening guide in the wiki for this?: https://github.com/jtesta/ssh-audit/wiki/SSH-Hardening-Guides-Index

Might you also have any metrics on how popular this platform is?

jtesta avatar Aug 30 '25 20:08 jtesta

Hi,

Could you please create a hardening guide in the wiki for this

I can draft one, but it should be taken with a grain of salt. I’m not deeply familiar with all the details of CoreOS. I found this "solution" mostly through trial and error.

Might you also have any metrics on how popular this platform is?

I don’t have metrics on that. I’ve only seen CoreOS mentioned occasionally on Reddit, mostly in homelab and container-centric discussions.

vic1707 avatar Aug 31 '25 12:08 vic1707

I can draft one, but it should be taken with a grain of salt. I’m not deeply familiar with all the details of CoreOS. I found this "solution" mostly through trial and error.

No problem. The rest of community guides are the same way. Even if your guide isn't perfect, the next person would have a starting point to continue from.

jtesta avatar Aug 31 '25 19:08 jtesta

Hi, sorry for the time it took but I finally found time to make the page https://github.com/jtesta/ssh-audit/wiki/Fedora-CoreOS-Flatcar-Linux I'll let you correct it if needed and close the issue when you're satisfied with the result 👍

vic1707 avatar Sep 15 '25 13:09 vic1707