From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v4 1/2] add hardened SSH server configuration Date: Wed, 12 Sep 2018 19:52:41 +0200 Message-ID: <1dd45b64-d0d1-8509-927b-a2f313861c81@link38.eu> In-Reply-To: <20180910155223.2828-1-peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1339535414253643202==" List-Id: --===============1339535414253643202== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I take by the silence that there are still some unsolved questions about this. If this assumption is true, please ask them. :-) Thank you, and best regards, Peter M=C3=BCller > In order to harden OpenSSH server in IPFire, using the upstream default con= figuration > and edit it via sed commands in LFS file is error-prone and does not scale. >=20 > Thereof we ship a custom and more secure OpenSSH server configuration which > is copied into the image during build time. >=20 > The fourth version of this patch disables password authentication by > default, since this is required by some cloud hosters in order to apply > the image. Further, this method is less secure than pubkey > authentication. >=20 > Non-AEAD ciphers have been re-added to provide compatibility to older > RHEL systems. >=20 > Fixes #11750 > Fixes #11751 > Partially fixes #11538 >=20 > Signed-off-by: Peter M=C3=BCller > Cc: Marcel Lorenz > Cc: Michael Tremer > --- > config/ssh/sshd_config | 81 ++++++++++++++++++++++++++++++++++++++++++++++= ++++ > 1 file changed, 81 insertions(+) > create mode 100644 config/ssh/sshd_config >=20 > diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config > new file mode 100644 > index 000000000..06329fbde > --- /dev/null > +++ b/config/ssh/sshd_config > @@ -0,0 +1,81 @@ > +# ultra-secure OpenSSH server configuration > + > +# only allow version 2 of SSH protocol > +Protocol 2 > + > +# listen on port 22 by default > +Port 22 > + > +# listen on these interfaces and protocols > +AddressFamily any > +ListenAddress 0.0.0.0 > + > +# limit authentication thresholds > +LoginGraceTime 30s > +MaxAuthTries 3 > + > +# limit maximum instanctes to prevent DoS > +MaxStartups 5 > + > +# ensure proper logging > +SyslogFacility AUTH > +LogLevel INFO > + > +# enforce permission checks before a login is accepted > +# (prevents damage because of hacked systems with world-writeable > +# home directories or similar) > +StrictModes yes > + > +# only allow safe crypto algorithms (may break some _very_ outdated client= s) > +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html > +KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange= -sha256 > +Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gc= m(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > +MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-= 128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com > + > +# enable data compression after successful login only > +Compression delayed > + > +# only allow cryptographically safe SSH host keys (adjust paths if needed) > +HostKey /etc/ssh/ssh_host_ed25519_key > +HostKey /etc/ssh/ssh_host_ecdsa_key > +HostKey /etc/ssh/ssh_host_rsa_key > + > +# only allow login via public key by default > +PubkeyAuthentication yes > +PasswordAuthentication no > +ChallengeResponseAuthentication no > +PermitEmptyPasswords no > + > +# permit root login as there is no other user in IPFire 2.x > +PermitRootLogin yes > + > +# specify preferred authentication methods (public keys come first) > +AuthenticationMethods publickey,password > + > +# ignore user ~/.rhost* files > +IgnoreRhosts yes > + > +# ignore user known hosts file > +IgnoreUserKnownHosts yes > + > +# ignore user environments > +PermitUserEnvironment no > + > +# do not allow any kind of forwarding (provides only low security) > +# some of them might need to be re-enabled if SSH server is a jump platform > +X11Forwarding no > +AllowTcpForwarding no > +AllowAgentForwarding no > +PermitTunnel no > +GatewayPorts no > +PermitOpen none > + > +# detect broken sessions by sending keep-alive messages to > +# clients (both via TCP and SSH) > +TCPKeepAlive yes > +ClientAliveInterval 10 > + > +# close unresponsive SSH sessions which fail to answer keep-alive > +ClientAliveCountMax 6 > + > +# EOF >=20 --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============1339535414253643202==--