Bug 11538 (HARDENSSH)

Summary: harden OpenSSH server
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Peter Müller <peter.mueller>
Status: CLOSED FIXED QA Contact:
Severity: Security    
Priority: Will affect most users CC: michael.tremer
Version: 2Keywords: Security, Umbrella
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=11641
Bug Depends on: 11750, 11751    
Bug Blocks: 11887    

Description Peter Müller 2017-11-03 15:14:25 UTC
This is an umbrella bug for hardening the OpenSSH server in IPFire.
Comment 1 Peter Müller 2017-11-30 21:39:08 UTC
TODO list:

- enable "StrictMode" in config? (does this break anything?)
- specify cipher suite list
- never permit empty passwords
- set "MaxAuthTries" to suitable value (proposal: 3)
- disabling password authentication is not fully applied
- disable forwarding (people should use VPN or firewall rules instead)
 -> disable port forwarding via SSH, too (highly dangerous)
- set "MaxSessions" limit (proposal: 5)
- always ignore ~/.rhosts
- close inactive SSH sessions? (proposal: after 10 minutes idle)
- display active sessions in the WebUI
- unset password authentication as default in WebUI?
- smaller formatting issue of keys in WebUI
- remote login as root is ugly
- change "ListenAddress"? (never listen on RED or ORANGE)
- openssh is outdated, Marcel sent in a patch for this some time ago
- make sure Guardian catches all necessary openssh log entries
- [and some more things I forgot here]

Some of these points are already done by the openssh default config, but not listed in /etc/ssh/sshd_config explicitely. The general question here is wether to ship a custom config file or just take that one of ssh and replace values with sed.

Further information: https://man.openbsd.org/sshd_config

Will think about this and do some research within next week.
Comment 2 Peter Müller 2018-01-14 13:47:38 UTC
Further reading: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Comment 3 Peter Müller 2018-04-29 10:22:05 UTC
https://patchwork.ipfire.org/patch/1732/
Comment 4 Peter Müller 2018-04-29 10:22:31 UTC
Sorry - was replying to the wrong bug. :-|
Comment 5 Peter Müller 2018-04-29 11:19:00 UTC
Sent in https://patchwork.ipfire.org/patch/1733/

Still to do:
- specify cipher suite list
- disabling password authentication is not fully applied
- disable forwarding (people should use VPN or firewall rules instead)
 -> disable port forwarding via SSH, too (highly dangerous)
- close inactive SSH sessions? (proposal: after 10 minutes idle)
- display active sessions in the WebUI
- unset password authentication as default in WebUI?
- smaller formatting issue of keys in WebUI
- remote login as root is ugly
- change "ListenAddress"? (never listen on RED or ORANGE)
- make sure Guardian catches all necessary openssh log entries

Patch for better cryptography settings is currently in development.
Comment 6 Michael Tremer 2018-04-30 13:11:29 UTC
(In reply to Peter Müller from comment #5)
> - disable forwarding (people should use VPN or firewall rules instead)
>  -> disable port forwarding via SSH, too (highly dangerous)

This is not dangerous?!

> - close inactive SSH sessions? (proposal: after 10 minutes idle)

Very strongly against this. We have this on the actual console and it is a horrible feature.

> - unset password authentication as default in WebUI?

This is the default way people log in to the system. Also the only way until a key is installed. Therefore this should be default.

> - remote login as root is ugly

This is for debugging the system and development. A production system should not have SSH enabled.

> - change "ListenAddress"? (never listen on RED or ORANGE)

How would it be possible to allow SSH-in from those networks then?
Comment 7 Michael Tremer 2018-05-30 13:29:56 UTC
This is not an umbrella bug since there are no tickets depending on this.
Comment 8 Peter Müller 2018-06-07 05:54:32 UTC
(In reply to Michael Tremer from comment #7)
> This is not an umbrella bug since there are no tickets depending on this.
You were right, I now introduced some bugs to split this topic up a bit. Added the "umbrella" tag again, if you don't mind...
Comment 9 Michael Tremer 2018-06-07 21:37:12 UTC
Yes, that's alright :)
Comment 10 Peter Müller 2018-08-19 20:54:02 UTC
https://patchwork.ipfire.org/patch/1895/
Comment 11 Peter Müller 2018-09-27 16:09:08 UTC
Setting to ON_QA since changes are merged upstream and will be rolled out with next Core Update.