💾 Archived View for blog.datapulp.de › secure-sshd captured on 2022-06-11 at 20:59:43. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-11-30)

-=-=-=-=-=-=-

Secure sshd

Martin Döring, 25th of September 2021

There is an online tool to check the security of your ssh daemon. The tool does not require a login, but only evaluates the information that always becomes visible during the handshake of the connection setup anyway:

https://sshcheck.com/

Classic security

Of course I have already disabled password authentication in sshd_config,

PasswordAuthentication no

... which requires that your public ssh key is stored with the root in the file ~/root/.ssh/authorized_keys before.

You can also disable root access if desired:

PermitRootLogin no

In this case you have to make sure that another user can gain root privileges with sudo.

Additionally you can secure the machine with fail2ban to automatically detect attacking hackers and block their IP addresses, but this is not the topic here.

Kick out weak MACs

Now ssh is a somewhat older protocol. Some algorithms are now no longer considered 100% secure or there are recommendations to replace them with better algorithms.

With my sshd all ciphers were ok, but some MACs were marked as weak. The MAC algorithm is used for data integrity protection:

umac-64-etm@openssh.com
hmac-sha1-etm@openssh.com
umac-64@openssh.com
hmac-sha1 

What to do now? I have read the documentation and found out the following: You can use one line in the sshd_config configuration file to remove the MACs you no longer want from the set of all MACs. The list of MACs must be comma separated and start with a Minus, so in my case it looks like this:

MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1

By the way, you can find out the supported MACs yourself after the change by executing this command on the server:

ssh -Q macs

By the way, this also works for the ciphers:

ssh -Q ciphers

After a

service sshd restart

... the MACs that are too weak should then be removed.

⚠️ Attention! With the online test tool you have to clear the cache first, this can be done on the results page. Otherwise, you will be surprised that the same old result is displayed again without any changes.

As always, the manual provides even more information:

man sshd_config

--

back