-
-
Notifications
You must be signed in to change notification settings - Fork 621
OpenSSH
You can file an issue about it and ask that it be added.
The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography.
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
PermitEmptyPasswords noThis ensures a user login will be terminated as soon as the ClientAliveInterval is reached.
ClientAliveCountMax 0Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
ClientAliveInterval 300The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.
Banner /etc/issueDoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1SSH environment options potentially allow users to bypass access restriction in some configurations.
PermitUserEnvironment noSSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
Protocol 2SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
IgnoreRhosts yesSSH provides several logging levels with varying amounts of verbosity. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The INFO parameter specifices that record login and logout activity will be logged.
LogLevel INFOUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbcBy default, remote X11 connections are not encrypted when initiated by users. Open X displays allow an attacker to capture keystrokes and to execute commands remotely.
X11Forwarding yesSSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.
HostbasedAuthentication noMaxAuthTries triesThe root user should never be allowed to login to a system directly over a network.
PermitRootLogin noThe C2S/CIS standard also explain X11Forwarding parameter. In my opinion we should definitely disable X session.
- Configuring OpenSSH [Official]
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.