Tag: ssh

SSH – prevent weak ciphers and mac algorithms

Supported in rhel 6:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour
MACs hmac-sha1,hmac-ripemd160

Supported in rhel 7:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

These examples are meant for sysadmins who have done this before, as an easily copy-pastable example, not for newbies who have no idea what all this means. Research what you are doing and think before you act. Be careful when reloading or restarting your sshd daemon, make sure you can access the console in case something goes terribly wrong! Verpruts het niet zegmaar.

source: https://cipherli.st/ and https://access.redhat.com/solutions/420283 and http://www.cyberciti.biz/faq/howto-openssh-client-security-update-cve-0216-0777-cve-0216-0778/

Prevent bruteforce SSH attacks using firewalld

This one-liner will reject new incoming ipv4 connections when more than 2 attempts per minute are made. It will also log a message about this:
firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" log prefix="SSH Bruteforce:" level="warning" limit value="2/m" accept limit value="2/m"'
If you have both ipv4 and ipv6 configured you’ll probably want the more generic version:
firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="SSH Bruteforce:" level="warning" limit value="2/m" accept limit value="2/m"'
Add the --permanent option to make your rules permanent.