For such use, we recommend the following settings for homes, development servers, and universities. For important systems even such organizations should follow the guidelines for configuring enterprise servers. Larger enterprises, or others wanting to run a tight security policy for certain servers, may want to configure the following configuration options. Symmetric algorithms for encrypting the bulk of transferred data are configured using the Ciphers option.
A good value is aesctr,aesctr,aesctr. This should also provide good interoperability. Host key algorithms are selected by the HostKeyAlgorithms option. Key exchange algorithms are selected by the KexAlgorithms option. We recommend ecdh-sha2-nistp,ecdh-sha2-nistp,ecdh-sha2-nistp,diffie-hellman-groupsha1,diffie-hellman-group-exchange-sha In particular, we do not recommend allowing diffie-hellman-group1-sha1 , unless needed for compatibility.
It uses a bit prime number, which is too small by today's standards and may be breakable by intelligence agencies in real time. Using it could expose connections to man-in-the-middle attacks when faced with such adversaries.
Message authentication code algorithms are configured using the MACs option. A good value is hmac-sha,hmac-sha,hmac-sha1. We have included the sha-1 algorithm in the above sets only for compatibility. Its use is questionable from a security perspective.
If it is not needed for compatibility, we recommend disabling it. NIST has also issued guidance on it. Some organizations may also want to set policy for PubkeyAcceptedKeyTypes. Same value as for HostKeyAlgorithms would make sense. However, restricting this value could abruptly break business-critical connections, and we recommend only setting it after analyzing all existing authorized keys for the algorithms they use.
This way, the key fingerprint for any SSH key used for login is logged. This information is important for SSH key management , especially in legacy environments.
Historically, most organizations have not touched the location of the authorized keys files. This means they are in each user's home directory, and each user can configure additional permanent credentials for themselves and their friends. They can also add additional permanent credentials for any service account or root account they are able to log into. This has lead to massive problems in large organizations around managing SSH keys.
We strongly recommend that organizations establish proper life cycle management for key-based credentials, and set the related options as part of this process. See SSH key management and contact us for additional help.
Their use can make auditing SSH keys cumbersome and they can be used to hide backdoor keys from casual observation. Edited by dydoria Tuesday, June 30, AM. Tuesday, June 30, AM. Best wishes, Young Yang Please remember to mark the replies as answers if they help.
Okay, tks. Tuesday, June 30, PM. Hi, Was your issue resolved? Best Regards, Yang Yang Please remember to mark the replies as answers if they help. Friday, July 3, AM. Friday, July 10, PM. No, not yet. Get it. Monday, July 13, AM. Monday, July 13, PM. Hi, This is a suggestion from colleagues in the AD group. Tuesday, July 14, AM. Plus, I noticed that other people in the forum tried to share a link with you.
Do you think it is helpful to you? Hi everyone. For example, you could connect over the Internet to your PC, tunnel a remote desktop connection, and access your desktop. This is known as "port forwarding". By default, you can also tunnel specific graphical applications through an SSH session. This is known as "X11 forwarding".
While both of these are very useful, they also give more options to an attacker who has already guessed your password. Disabling these options gives you a little security, but not as much as you'd think. With access to a normal shell, a resourceful attacker can replicate both of these techniques and a specially-modified SSH client. It's only recommended to disable forwarding if you also use SSH keys with specified commands.
You can disable each of these independently if you prefer. For example, if you have a family PC where most people have weak passwords, you might want to allow SSH access just for yourself. Allowing or denying SSH access for specific users can significantly improve your security if users with poor security practices don't need SSH access.
If an IP address is tries to connect more than 10 times in 30 seconds, all the following attempts will fail since the connections will be DROPped. The rule is added to the firewall by running a single command: sudo ufw limit ssh On a single-user or low-powered system, such as a laptop, the number of total simultaneous pending not yet authorized login connections to the system can also be limited.
This example will allow two pending connections. MaxStartups In a multi-user or server environment, these numbers should be set significantly higher depending on resources and demand to alleviate denial-of-access attacks. Setting a lower the login grace time time to keep pending connections alive while waiting for authorization can be a good idea as it frees up pending connections quicker but at the expense of convenience. It's recommended to log more information if you're curious about malicious SSH traffic.
If you have started using a different port, or if you think your server is well-enough hidden not to need much security, you should increase your logging level and examine your auth. If you find a significant number of spurious login attempts, then your computer is under attack and you need more security.
Whatever security precautions you've taken, you might want to set the logging level to VERBOSE for a week, and see how much spurious traffic you get. It can be a sobering experience to see just how much your computer gets attacked.
0コメント