I used openvas to check my security and started to modify my sshd_config to exclude known risks. I though I managed to increase the security level by lowering the risk via this config.
But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.
Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?
AddressFamily inet
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
#ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
?MACs AnyStd:
#MACs hmac-sha1,[email protected],hmac-ripemd160
?KexAlgorithms AnyStd:
# KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
?SSLProtocol all -SSLv2 -SSLv3
?SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!EXP:+eNULL:!SSLv2:!SSLv3
?ssl_prefer_server_ciphers off;
But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.
Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?
AddressFamily inet
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
#ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
?MACs AnyStd:
#MACs hmac-sha1,[email protected],hmac-ripemd160
?KexAlgorithms AnyStd:
# KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
?SSLProtocol all -SSLv2 -SSLv3
?SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!EXP:+eNULL:!SSLv2:!SSLv3
?ssl_prefer_server_ciphers off;
Share this post:
Responses (3)
-
Accepted Answer
Nick Howitt wrote:
I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).
If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure.
Nick,
I agree that everybody needs to be carefull. Make a backup, document you changes in the config files while you are working on it (I add the url used in a comment-line in the config file, to retrieve the info used). After a restart of the service I use Greenbone scanner (via docker) to probe/scan my new security for that machine even these are behind the firewall without ports open to the internet. -
Accepted Answer
I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).
If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure. -
Accepted Answer
I think I understand my own mistake, but still wondering why this did not pop-up upfront while restarting sshd. Nevertheless I use for the moment the following
# Ciphers and keying
#RekeyLimit default none
KexAlgorithms [email protected]
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]
Protocol 2
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »