sshd hardening - Githubissues

ivomarino commented 7 years ago

ssdh settings must be tuned for higher security standards, will be developed in branch 38-sshd-hardening. Features we want to add:

[x] Disable root login.
[x] Limit access to AllowUsers.
[ ] Limit access to specific IP ranges (must be probably set of firewall).
[x] Disable password auth.
[x] Add fail2ban.
[x] Disable OS banner.
[x] Disable DSA and ECDSA.
[x] Disable DH 1024 Bit and ECDH.
[x] Disable Arcfour, 3DES and CBC-Ciphers.
[x] Disable MD5, SHA1, <128 Bit.
[x] Disable 3DES, !3DES in OpenSSL.

Test can be done with ssh-audit. Example settings:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
MACs          hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Ciphers       chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

DebianBanner no

# Uncomment the two entries below after configuring and testing SSH pubkey authentication
# PasswordAuthentication no

# ChallengeResponseAuthentication no
# AllowUsers user1 user2 user3

PermitRootLogin no

ivomarino commented 7 years ago

commit https://github.com/ttssdev/appflow/commit/de8258c2e82f97742a0a945bcc95f9d956c9076a introduces initial support for fail2ban (Debian family). Has been tested on atlantis, after 6 times assh sockets flush ; ssh -l foo atlantis the IP has been banned correctly:

2017-03-31 14:48:22,679 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2017-03-31 14:48:22,679 fail2ban.jail   : INFO   Creating new jail 'ssh'
2017-03-31 14:48:22,705 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2017-03-31 14:48:22,719 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2017-03-31 14:48:22,722 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2017-03-31 14:48:22,723 fail2ban.filter : INFO   Set maxRetry = 6
2017-03-31 14:48:22,724 fail2ban.filter : INFO   Set findtime = 600
2017-03-31 14:48:22,724 fail2ban.actions: INFO   Set banTime = 600
2017-03-31 14:48:22,746 fail2ban.jail   : INFO   Jail 'ssh' started
2017-03-31 14:53:12,302 fail2ban.actions: WARNING [ssh] Ban 192.168.80.1

ivomarino commented 7 years ago

new HAProxy SSL settings:

EECDH+AESGCM:EDH+AESGCM:EECDH+AES256:EDH+AES256:EECDH+AES128:EDH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!LOW:!EXPORT:!MEDIUM:!MD5:!PSK:!RSAPSK:!SRP:!DSS:!CAMELLIA:!RC4:!3DES

cloudsidedev / appside

sshd hardening #38