Forums

stassen
stassen
Offline
Resolved
0 votes
I used openvas to check my security and started to modify my sshd_config to exclude known risks. I though I managed to increase the security level by lowering the risk via this config.
But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.

Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?



AddressFamily inet

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

#ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
?MACs AnyStd:
#MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
?KexAlgorithms AnyStd:
# KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
?SSLProtocol all -SSLv2 -SSLv3
?SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!EXP:+eNULL:!SSLv2:!SSLv3
?ssl_prefer_server_ciphers off;
Wednesday, March 16 2022, 07:00 PM
Share this post:
Responses (3)
  • Accepted Answer

    stassen
    stassen
    Offline
    Monday, March 21 2022, 09:10 AM - #Permalink
    Resolved
    0 votes
    I think I understand my own mistake, but still wondering why this did not pop-up upfront while restarting sshd. Nevertheless I use for the moment the following

    # Ciphers and keying
    #RekeyLimit default none

    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

    Protocol 2
    The reply is currently minimized Show
  • Accepted Answer

    Monday, March 21 2022, 10:17 AM - #Permalink
    Resolved
    0 votes
    I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).

    If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure.
    The reply is currently minimized Show
  • Accepted Answer

    stassen
    stassen
    Offline
    Thursday, March 31 2022, 06:08 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).

    If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure.


    Nick,

    I agree that everybody needs to be carefull. Make a backup, document you changes in the config files while you are working on it (I add the url used in a comment-line in the config file, to retrieve the info used). After a restart of the service I use Greenbone scanner (via docker) to probe/scan my new security for that machine even these are behind the firewall without ports open to the internet.
    The reply is currently minimized Show
Your Reply