| Summary: | harden OpenSSH server | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Peter Müller <peter.mueller> |
| Component: | --- | Assignee: | Peter Müller <peter.mueller> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | Security | ||
| Priority: | Will affect most users | CC: | michael.tremer |
| Version: | 2 | Keywords: | Security, Umbrella |
| Hardware: | all | ||
| OS: | All | ||
| See Also: | https://bugzilla.ipfire.org/show_bug.cgi?id=11641 | ||
| Bug Depends on: | 11750, 11751 | ||
| Bug Blocks: | 11887 | ||
|
Description
Peter Müller
2017-11-03 15:14:25 UTC
TODO list: - enable "StrictMode" in config? (does this break anything?) - specify cipher suite list - never permit empty passwords - set "MaxAuthTries" to suitable value (proposal: 3) - disabling password authentication is not fully applied - disable forwarding (people should use VPN or firewall rules instead) -> disable port forwarding via SSH, too (highly dangerous) - set "MaxSessions" limit (proposal: 5) - always ignore ~/.rhosts - close inactive SSH sessions? (proposal: after 10 minutes idle) - display active sessions in the WebUI - unset password authentication as default in WebUI? - smaller formatting issue of keys in WebUI - remote login as root is ugly - change "ListenAddress"? (never listen on RED or ORANGE) - openssh is outdated, Marcel sent in a patch for this some time ago - make sure Guardian catches all necessary openssh log entries - [and some more things I forgot here] Some of these points are already done by the openssh default config, but not listed in /etc/ssh/sshd_config explicitely. The general question here is wether to ship a custom config file or just take that one of ssh and replace values with sed. Further information: https://man.openbsd.org/sshd_config Will think about this and do some research within next week. Further reading: https://stribika.github.io/2015/01/04/secure-secure-shell.html Sorry - was replying to the wrong bug. :-| Sent in https://patchwork.ipfire.org/patch/1733/ Still to do: - specify cipher suite list - disabling password authentication is not fully applied - disable forwarding (people should use VPN or firewall rules instead) -> disable port forwarding via SSH, too (highly dangerous) - close inactive SSH sessions? (proposal: after 10 minutes idle) - display active sessions in the WebUI - unset password authentication as default in WebUI? - smaller formatting issue of keys in WebUI - remote login as root is ugly - change "ListenAddress"? (never listen on RED or ORANGE) - make sure Guardian catches all necessary openssh log entries Patch for better cryptography settings is currently in development. (In reply to Peter Müller from comment #5) > - disable forwarding (people should use VPN or firewall rules instead) > -> disable port forwarding via SSH, too (highly dangerous) This is not dangerous?! > - close inactive SSH sessions? (proposal: after 10 minutes idle) Very strongly against this. We have this on the actual console and it is a horrible feature. > - unset password authentication as default in WebUI? This is the default way people log in to the system. Also the only way until a key is installed. Therefore this should be default. > - remote login as root is ugly This is for debugging the system and development. A production system should not have SSH enabled. > - change "ListenAddress"? (never listen on RED or ORANGE) How would it be possible to allow SSH-in from those networks then? This is not an umbrella bug since there are no tickets depending on this. (In reply to Michael Tremer from comment #7) > This is not an umbrella bug since there are no tickets depending on this. You were right, I now introduced some bugs to split this topic up a bit. Added the "umbrella" tag again, if you don't mind... Yes, that's alright :) Setting to ON_QA since changes are merged upstream and will be rolled out with next Core Update. |