It’s often seen from most scanners a number of issues being raised in regard to SSH security. They are mostly around :
- Use of weak arcfour ciphers
- SSH Weak ciphers
- SSH weak Mac algorithms
- SSH insecure key exchange etc.
as an example we will cover how to harden a weak understanding of the defaults and how to harden. I will be demonstrating with a debian box (Kali to be specific). The SSH version is as below:
The default configuration can also be seen by using the Q switch in SSH to see what is currently supported.
We would need to assess the status of the defaults; we will use a tool called SSH Audit which can be downloaded from github. We will check for only failed configuration issues rather than warnings and information to get a perspective first.
As is seen the default configuration is not quite robust. All is not lost ; the principle here is all is enabled unless secure configurations are chosen. This is intentional because really its variant on the environment (versions of SSH in use; SSH client algorithm support etc). In research (google tsk tsk tsk) I found a nice resource that gives a starter pack on what values to feed /etc/ssh/sshd_config. The resource can be found here. From this resource ; I added the configuration below based on my SSH version.
As much as the configuration here seems good; It did not quite cut it because we reduce the fails but not completely; In further research i realised I haven’t set the host key algorithm hence the fail; during this time I also read abit as to why some of these algorithms are discouraged, the writeup can be found here.
Enter the new line host key algorithm.
on doing a more detailed scan for all log levels we now have warnings and informational as seen below ;
Killing the last bit of warnings we simply modify our configuration to use only those strong ciphers; In this case I ended up with the master sheet below :
On scanning now :
We can additionally do an nmap just to get the feel of what we are working with.
Hope this has been helpful. Above all note that the perfect situation may not be workable in some instances especially if backward compatibility is a factor. This can however be used to attempt to harden to the highest level possible.