💾 Archived View for datapulp.smol.pub › secure-sshd captured on 2023-06-16 at 16:00:52. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Martin Döring, 25th of September 2021
There is an online tool to check the security of your ssh daemon. The tool does not require a login, but only evaluates the information that always becomes visible during the handshake of the connection setup anyway:
Of course I have already disabled password authentication in sshd_config,
PasswordAuthentication no
... which requires that your public ssh key is stored with the root in the file ~/root/.ssh/authorized_keys before.
You can also disable root access if desired:
PermitRootLogin no
In this case you have to make sure that another user can gain root privileges with sudo.
Additionally you can secure the machine with fail2ban to automatically detect attacking hackers and block their IP addresses, but this is not the topic here.
Now ssh is a somewhat older protocol. Some algorithms are now no longer considered 100% secure or there are recommendations to replace them with better algorithms.
With my sshd all ciphers were ok, but some MACs were marked as weak. The MAC algorithm is used for data integrity protection:
umac-64-etm@openssh.com hmac-sha1-etm@openssh.com umac-64@openssh.com hmac-sha1
What to do now? I have read the documentation and found out the following: You can use one line in the sshd_config configuration file to remove the MACs you no longer want from the set of all MACs. The list of MACs must be comma separated and start with a Minus, so in my case it looks like this:
MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,hmac-sha1
By the way, you can find out the supported MACs yourself after the change by executing this command on the server:
ssh -Q macs
By the way, this also works for the ciphers:
ssh -Q ciphers
After a
service sshd restart
... the MACs that are too weak should then be removed.
⚠️ Attention! With the online test tool you have to clear the cache first, this can be done on the results page. Otherwise, you will be surprised that the same old result is displayed again without any changes.
As always, the manual provides even more information:
man sshd_config
--