Hardened SSH server

I strongly suggest that you heed the advice from stribika’s page on securing the Secure Shell (SSH), the aim of which is to make your SSH server safe from the NSA; or so they say…

Cet article est aussi disponible en français.

Of course, you will have to adapt the given advice to your version of OpenSSH (or even another SSH server), since the supported algorithms are different for each version. Thus, I had to change the configuration, so that it would work with the version of OpenSSH in Debian Wheezy, this way:

KexAlgorithms diffie-hellman-group-exchange-sha256
HostKey /etc/ssh/ssh_host_rsa_key
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

instead of:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

Indeed, the parts in bold above point to algorithms that are unknown to this old version of OpenSSH. I will change the configuration again when I have upgraded Debian to a newer version; the necessary information is provided by the manual page for the sshd_config file.

In case the improved security is not enough to convince you, there is an added bonus: after I had my configuration set as shown above, I discovered that the many daily fraudulent connection attempts to my SSH server had completely disappeared! Now Fail2ban is getting bored :-D

The reason seems to be, that the robots that broadly attack servers have not been updated for some time, and lack current algorithms. I have thus found a lot of the following three lines in my log files:

sshd: fatal: Unable to negotiate a key exchange method [preauth]
sshd: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes256-ctr,aes192-ctr,aes128-ctr [preauth]
sshd: fatal: no matching mac found: client hmac-md5,hmac-sha1 server hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth]

Final tip: for even more security, you should monitor the GitHub page about the updates to the article, because this article is built collaboratively and gets better and better, using the added knowledge shared by its readers.


1. Le lundi 22 mai 2017, 13:42 par Yves

Hi phulkari, look for the Atom/RSS symbol; it looks like a tilted WiFi symbol.

To follow the comments for one particular blog post, use the link at the bottom of this post’s page; for example: http://yalis.fr/cms/index.php/feed/...
To follow all comments, or to be notified of new blog posts, use the links on the site’s front page, under the title “S’abonner”:
— “Fil des billets” = all blog posts: http://yalis.fr/cms/index.php/feed/...
— “Fil des commentaires” = all comments: http://yalis.fr/cms/index.php/feed/...

Ajouter un commentaire

Le code HTML est affiché comme du texte et les adresses web sont automatiquement transformées.

La discussion continue ailleurs

URL de rétrolien : http://yalis.fr/cms/index.php/trackback/66

Fil des commentaires de ce billet