Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSH Hardening question

    Scheduled Pinned Locked Moved 2.5 Development Snapshots (Retired)
    3 Posts 3 Posters 609 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JeGrJ
      JeGr LAYER 8 Moderator
      last edited by

      Hi,

      as we checked various hosts and the lab installations of firewalls against current recommendations, we had the 2.5 with following results:

      # algorithm recommendations (for OpenSSH 7.9)
      
      | ssh2-enum-algos:
      |   kex_algorithms: (2)
      |       curve25519-sha256@libssh.org
      |       diffie-hellman-group-exchange-sha256     -- [warn] using custom size modulus (possibly weak) -> remove
      |   server_host_key_algorithms: (4)
      |       rsa-sha2-512
      |       rsa-sha2-256
      |       ssh-rsa
      |       ssh-ed25519
      |   encryption_algorithms: (6)
      |       chacha20-poly1305@openssh.com
      |       aes256-gcm@openssh.com
      |       aes128-gcm@openssh.com
      |       aes256-ctr
      |       aes192-ctr
      |       aes128-ctr
      |   mac_algorithms: (6)
      |       hmac-sha2-512-etm@openssh.com
      |       hmac-sha2-256-etm@openssh.com
      |       umac-128-etm@openssh.com                 -- [warn] using encrypt-and-MAC mode
      |       hmac-sha2-512                            -- [warn] using encrypt-and-MAC mode
      |       hmac-sha2-256                            -- [warn] using encrypt-and-MAC mode
      |       umac-128@openssh.com                     -- [warn] using encrypt-and-MAC mode
      |   compression_algorithms: (2)
      |       none
      |       zlib@openssh.com
      

      So pretty good(!) per default but just wanting to question, if those MACs would hurt older clients much if they would be removed as per recommendation or if that would break things(TM) in a bad way. Also the KEX (DH GE with SHA256) is only possibly week, I'm assuming it has a strong modulus attached and I know that older clients often used it and behaved bad with only curve25519 left. Of course when dealing with a firewall, one could always say that things have to SOTA when dealing with your firewall and just up the ante ;)

      Just wanting to get developer's take on that.

      Greets
      Jens

      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We have refined that list before for security reasons, at the expense of some older clients. If you have some specific suggestions there, feel free to make a feature request or a PR.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          You know what would be great feature - the ability to do check boxes on what ciphers and algo's you want to use.. Kind of like how the DSM on synology does it..

          customsettings.png

          Something like this for the web interface https settings would be useful as well.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.