From 6b6bda520ad7bbd002a8c68537b3399773eb19cf Mon Sep 17 00:00:00 2001
From: ChiefGyk <alon@ganon.me>
Date: Thu, 14 Jul 2016 19:36:11 -0400
Subject: [PATCH] only enabled recommended MAC and ciphers per research. Added
 this after it was revealed via OpenVAS

---
 setup/system.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/setup/system.sh b/setup/system.sh
index cc152524..3f5efcf3 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -219,6 +219,11 @@ APT::Periodic::Unattended-Upgrade "1";
 APT::Periodic::Verbose "1";
 EOF
 
+# Harden SSH and disable weak ciphers
+echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128" >> /etc/ssh/sshd_config
+echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160" >> /etc/ssh/sshd_config
+
+
 # ### Firewall
 
 # Various virtualized environments like Docker and some VPSs don't provide #NODOC
@@ -298,3 +303,4 @@ cat conf/fail2ban/jail.local \
 cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
 
 restart_service fail2ban
+