SSH audit and secure settings

So, there’s a tool called ssh-audit which is like the SSL Labs of SSH. The first run against some servers showed a whole bunch of “fails” due to issues with use of weak Key Exchange algorithms, Host Key Algorithms and MACs (Message Authentication Code algorithms).

After a bit of fiddling around, you can get a much more secure setup using the config below:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519

MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

There’s still a couple of warnings around using SHA1 and potentially a weak/bad modulus size with SHA256, but it’s a lot better than the default configuration.

After adding the files to the config, you can test the config with:

sshd -t

and the restart and voila! you should have a much more secure SSH server.

I put the above into a bunch of tasks into an Ansible playbook:

- name: Ensure SSH settings are in config file
  tags: ['ssh-audit','ssh']
  become: true
  blockinfile:
    path: /etc/ssh/sshd_config
    block: |
      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
      HostKeyAlgorithms ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-ed25519
      MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

- name: Verify settings are not going to break SSHd
  tags: ['ssh-audit','ssh']
  become: true
  command: sshd -t

- name: Restart SSHd
  tags: ['ssh-audit','ssh']
  become: true
  systemd: name=sshd state=restarted

- name: Run the ssh-audit against the server
  tags: ['ssh-audit','ssh']
  connection: local
  shell: "./ssh-audit.py -n -b -l warn {{ ansible_ssh_host }}"
  register: sshauditoutput

- name: Output the ssh-audit results
  tags: ['ssh-audit','ssh']
  debug: msg="{{ sshauditoutput.stdout_lines }}"

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.