Message ID | 042ecb9c-4183-5ea5-ee26-56ed9bcc7a61@link38.eu |
---|---|
State | Superseded |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 791E360726 for <patchwork@web02.i.ipfire.org>; Sun, 19 Aug 2018 20:41:52 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 0195F112692A; Sun, 19 Aug 2018 19:41:51 +0100 (BST) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [IPv6:2a03:4000:6:432c:1f9e:48:ac3:199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id EEB9D10F83E0 for <development@lists.ipfire.org>; Sun, 19 Aug 2018 19:41:47 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1534704110; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=AZsDmlcRerkEZv6mNJw07YpITigvPRzCur5qXFusmHs=; b=EU7MOtPJOHWcEZ/0FNZaKR3twXuqpkfcRtJEiuMLR6/Mmkqkg3o0Gb1Z1Zc/jSyZpJSmMg 0c+5g5WlGofdNbWZCPyd/Mcw9qzySs51OodA4D6rKQOLcMX1Z+7zq2V+rj6S2L3vi+0Gko muvBB18h2o7PPpkb4nYz84BpMjk+5IIF7lBcN6/AjJSWA+fbw6c+D18TqVCGyu0e6lRBCf b+C4DgSxxz5eFkKMDUZErIo/h6C12F+2ajfBL7PI0b3wtOjyCUui6UTOz5aYYHrbpjYyU2 K0Q8K+fZq8X5SbJh3aBQr4jDA+EO5GcQ2+KaH0WmOrR0dW9D4s5vV1WdIrwBcg== To: "ipfire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Openpgp: preference=signencrypt Autocrypt: addr=peter.mueller@link38.eu; prefer-encrypt=mutual; keydata= xsFNBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABzSdQZXRlciBNw7xs bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT7CwX8EEwECACkFAlrlh/UCGyMFCQlmAYAH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn xLcWumkZ12YKmtixuM7BTQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA AcLBZQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m eNtEia+FigGVqn+PSQ== Subject: [PATCH 1/2] add hardened SSH server configuration Message-ID: <042ecb9c-4183-5ea5-ee26-56ed9bcc7a61@link38.eu> Date: Sun, 19 Aug 2018 20:41:45 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu; dmarc=pass (policy=none) header.from=link38.eu; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-9.54 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a03:4000:6:432c:1f9e:48:ac3:199]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[link38.eu:+]; RCVD_IN_DNSWL_MED(-2.00)[9.9.1.0.3.c.a.0.8.4.0.0.e.9.f.1.c.2.3.4.6.0.0.0.0.0.0.4.3.0.a.2.list.dnswl.org : 127.0.6.2]; DMARC_POLICY_ALLOW(-0.25)[link38.eu,none]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-3.78)[ip: (-9.90), ipnet: 2a03:4000::/32(-4.95), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-9.54 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/2] add hardened SSH server configuration
|
|
Commit Message
Peter Müller
Aug. 20, 2018, 4:41 a.m. UTC
In order to harden OpenSSH server in IPFire, using the upstream default configuration
and edit it via sed commands in LFS file is error-prone and does not scale.
Thereof we ship a custom and more secure OpenSSH server configuration which
is copied into the image during build time.
Fixes #11750
Fixes #11751
Partially fixes #11538
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
config/ssh/sshd_config | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 config/ssh/sshd_config
Comments
Hey, On Sun, 2018-08-19 at 20:41 +0200, Peter Müller wrote: > In order to harden OpenSSH server in IPFire, using the upstream default > configuration > and edit it via sed commands in LFS file is error-prone and does not scale. > > Thereof we ship a custom and more secure OpenSSH server configuration which > is copied into the image during build time. > > Fixes #11750 > Fixes #11751 > Partially fixes #11538 > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > --- > config/ssh/sshd_config | 68 > ++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 68 insertions(+) > create mode 100644 config/ssh/sshd_config > > diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config > new file mode 100644 > index 000000000..7acf48109 > --- /dev/null > +++ b/config/ssh/sshd_config > @@ -0,0 +1,68 @@ > +# ultra-secure OpenSSH server configuration > + > +# only allow version 2 of SSH protocol > +Protocol 2 > + > +# listen on these interfaces and protocols > +AddressFamily any > +ListenAddress 0.0.0.0 > +ListenAddress :: > + > +# limit authentication thresholds > +LoginGraceTime 20s > +MaxAuthTries 3 Three is definitely too little. I have three versions of my key (RSA, ECDSA and Ed25519). After my client tried all of these, a password prompt won't be shown any more. > +MaxSessions 5 Per user? Why? > +# limit maximum instanctes > +MaxStartups 5 > + > +# ensure proper logging > +SyslogFacility AUTH > +LogLevel INFO > + > +# always turn on strict mode > +StrictModes yes The comment explains the option, but it should explain what it does. We have discussed that before in another thread to a patch that only enabled this. > +# only allow safe crypto algorithms (may break some _very_ outdated clients) *How* outdated? From the 90s or last year? > +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html > +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- > sha256 > +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr > +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > + > +# enable data compression after successful login > +Compression yes Is there any research on whether this still is safe? See: https://bugzilla.ipfire.org/show_bug.cgi?id=11819 > + > +# only allow cryptographically safe SSH host keys (adjust paths if needed) > +HostKey /etc/ssh/ssh_host_ed25519_key > +HostKey /etc/ssh/ssh_host_ecdsa_key > +HostKey /etc/ssh/ssh_host_rsa_key > + > +# only allow login via public key > +PubkeyAuthentication yes > +PasswordAuthentication no > +ChallengeResponseAuthentication no > +PermitEmptyPasswords no > +AuthenticationMethods publickey > + > +# ignore user ~/.rhost* files > +IgnoreRhosts yes > + > +# ignore user known hosts file > +IgnoreUserKnownHosts yes > + > +# ignore user environments > +PermitUserEnvironment no > + > +# do not allow any kind of forwarding (provides only low security) > +# some of them might need to be re-enabled if SSH server is a jump platform > +X11Forwarding no > +AllowTcpForwarding no > +AllowAgentForwarding no > +PermitTunnel no > +GatewayPorts no > +PermitOpen none In the default configuration for the WebUI, TCP forwarding is enabled by default. So this is changed when SSH is being started for the first time. > +# close broken session (clients went offline, ...) automagically > +TCPKeepAlive yes > + > +# EOF -Michael
Hello Michael, > Hey, > > On Sun, 2018-08-19 at 20:41 +0200, Peter Müller wrote: >> In order to harden OpenSSH server in IPFire, using the upstream default >> configuration >> and edit it via sed commands in LFS file is error-prone and does not scale. >> >> Thereof we ship a custom and more secure OpenSSH server configuration which >> is copied into the image during build time. >> >> Fixes #11750 >> Fixes #11751 >> Partially fixes #11538 >> >> Signed-off-by: Peter Müller <peter.mueller@link38.eu> >> --- >> config/ssh/sshd_config | 68 >> ++++++++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 68 insertions(+) >> create mode 100644 config/ssh/sshd_config >> >> diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config >> new file mode 100644 >> index 000000000..7acf48109 >> --- /dev/null >> +++ b/config/ssh/sshd_config >> @@ -0,0 +1,68 @@ >> +# ultra-secure OpenSSH server configuration >> + >> +# only allow version 2 of SSH protocol >> +Protocol 2 >> + >> +# listen on these interfaces and protocols >> +AddressFamily any >> +ListenAddress 0.0.0.0 >> +ListenAddress :: >> + >> +# limit authentication thresholds >> +LoginGraceTime 20s >> +MaxAuthTries 3 > > Three is definitely too little. I have three versions of my key (RSA, ECDSA and > Ed25519). After my client tried all of these, a password prompt won't be shown > any more. Is 30 seconds enough (default setting in IPFire 2.x)? > >> +MaxSessions 5 > > Per user? Why? Because most users do not connect to a machine multiple times - at least not more than five times. Many active logins for one account are a clear indicator of compromise, especially if the account is only secured by a password. OpenSSH default is 10, but this seems too high for me. > >> +# limit maximum instanctes >> +MaxStartups 5 >> + >> +# ensure proper logging >> +SyslogFacility AUTH >> +LogLevel INFO >> + >> +# always turn on strict mode >> +StrictModes yes > > The comment explains the option, but it should explain what it does. We have > discussed that before in another thread to a patch that only enabled this. All right, comment will be adjusted in second version of this patch. This slipped my mind. > >> +# only allow safe crypto algorithms (may break some _very_ outdated clients) > > *How* outdated? From the 90s or last year? I successfully tested this with OpenSSH 6.6 (released 15-03-2014) and most recent PuTTY 0.70 (released 08-07-2017). This leads me to the assumption more or less up to date clients (<= 1 year for PuTTY and <= 4 years for OpenSSH) can be used. In case a system is older than that, I doubt it can be considered secure anymore. > >> +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html >> +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- >> sha256 >> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr >> +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, >> umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com >> + >> +# enable data compression after successful login >> +Compression yes > > Is there any research on whether this still is safe? > > See: https://bugzilla.ipfire.org/show_bug.cgi?id=11819 Not really. https://www.openssh.com/txt/release-4.2 states "delayed" more for compression is more secure as it avoids possible zlib vulnerabilities to unauthenticated users (Simple, but I was unaware of it.): > Added a new compression method that delays the start of zlib > compression until the user has been authenticated successfully. > The new method ("Compression delayed") is on by default in the > server. This eliminates the risk of any zlib vulnerability > leading to a compromise of the server from unauthenticated users. Compression does not seem to have security impact to a SSH connection itself. Because of the security risk described above, I'd prefer "delayed" as a setting to this in a second version of the patch. > >> [...]>> +# EOF By the way: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16c31d10040db4f175642376b284a0f98609e19e sets 22 as default listen port for OpenSSH, so I did not include 222 anymore. Agreed? Best regards, Peter Müller > > -Michael > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, 2018-08-20 at 17:06 +0200, Peter Müller wrote: > Hello Michael, > > > Hey, > > > > On Sun, 2018-08-19 at 20:41 +0200, Peter Müller wrote: > > > In order to harden OpenSSH server in IPFire, using the upstream default > > > configuration > > > and edit it via sed commands in LFS file is error-prone and does not scale. > > > > > > Thereof we ship a custom and more secure OpenSSH server configuration which > > > is copied into the image during build time. > > > > > > Fixes #11750 > > > Fixes #11751 > > > Partially fixes #11538 > > > > > > Signed-off-by: Peter Müller <peter.mueller@link38.eu> > > > --- > > > config/ssh/sshd_config | 68 > > > ++++++++++++++++++++++++++++++++++++++++++++++++++ > > > 1 file changed, 68 insertions(+) > > > create mode 100644 config/ssh/sshd_config > > > > > > diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config > > > new file mode 100644 > > > index 000000000..7acf48109 > > > --- /dev/null > > > +++ b/config/ssh/sshd_config > > > @@ -0,0 +1,68 @@ > > > +# ultra-secure OpenSSH server configuration > > > + > > > +# only allow version 2 of SSH protocol > > > +Protocol 2 > > > + > > > +# listen on these interfaces and protocols > > > +AddressFamily any > > > +ListenAddress 0.0.0.0 > > > +ListenAddress :: > > > + > > > +# limit authentication thresholds > > > +LoginGraceTime 20s > > > +MaxAuthTries 3 > > > > Three is definitely too little. I have three versions of my key (RSA, ECDSA and > > Ed25519). After my client tried all of these, a password prompt won't be shown > > any more. > > Is 30 seconds enough (default setting in IPFire 2.x)? Yes I think so. I don't even see that there is a huge desire in a very low limit. This only allows to brute-force a little bit faster. However, the keys should be virtually un-brute-force-able and therefore dividing the time you need to search by 10 isn't making any difference in practise. > > > > > +MaxSessions 5 > > > > Per user? Why? > > Because most users do not connect to a machine multiple times - at least not more > than five times. Many active logins for one account are a clear indicator of compromise, > especially if the account is only secured by a password. Well, true. But I often use an IPFire system as a jump host and for that open multiple connections. > OpenSSH default is 10, but this seems too high for me. This sounds good to me. > > > > > +# limit maximum instanctes > > > +MaxStartups 5 > > > + > > > +# ensure proper logging > > > +SyslogFacility AUTH > > > +LogLevel INFO > > > + > > > +# always turn on strict mode > > > +StrictModes yes > > > > The comment explains the option, but it should explain what it does. We have > > discussed that before in another thread to a patch that only enabled this. > > All right, comment will be adjusted in second version of this patch. This slipped my mind. > > > > > +# only allow safe crypto algorithms (may break some _very_ outdated clients) > > > > *How* outdated? From the 90s or last year? > > I successfully tested this with OpenSSH 6.6 (released 15-03-2014) and most > recent PuTTY 0.70 (released 08-07-2017). This leads me to the assumption more > or less up to date clients (<= 1 year for PuTTY and <= 4 years for OpenSSH) > can be used. Your first comment stated *very* outdated. One year isn't outdated. PuTTY doesn't have an update mechanism and therefore will probably be installed once and never updated on the average admin's machine. > In case a system is older than that, I doubt it can be considered secure anymore. Because of? Using RSA? > > > > > +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html > > > +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- > > > sha256 > > > +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr > > > +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > > > umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > > > + > > > +# enable data compression after successful login > > > +Compression yes > > > > Is there any research on whether this still is safe? > > > > See: https://bugzilla.ipfire.org/show_bug.cgi?id=11819 > > Not really. https://www.openssh.com/txt/release-4.2 states "delayed" more > for compression is more secure as it avoids possible zlib vulnerabilities > to unauthenticated users (Simple, but I was unaware of it.): That is a different attack then. The OpenVPN issue is about a known-plaintext attack which could also be done (in theory - I think) on SSH unless they add any random padding which would increase overhead and reduce the bandwidth savings of the compression. > > Added a new compression method that delays the start of zlib > > compression until the user has been authenticated successfully. > > The new method ("Compression delayed") is on by default in the > > server. This eliminates the risk of any zlib vulnerability > > leading to a compromise of the server from unauthenticated users. > > Compression does not seem to have security impact to a SSH connection itself. > > Because of the security risk described above, I'd prefer "delayed" as a > setting to this in a second version of the patch. That doesn't have anything to do with the stated attack, so I guess it doesn't make much of a difference to me. > > > > > [...]>> +# EOF > > By the way: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16c31d10040db4f175642376b284a0f98609e19e > sets 22 as default listen port for OpenSSH, so I did not include 222 anymore. Agreed? 22 is now default, but of course the switch on the webUI should still work. - -Michael > > Best regards, > Peter Müller > > > > -Michael > > -- > > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt+u/oACgkQgHnw/2+Q CQcDGBAAgBF/b0WDpQ1Lds+KDTKlvEKo2+WInK1+0ZGKeB88+CFL40RAkwLjG1VT 0k7DJ4+cnHn+114qhnrqxJ9LXzxchIE+BIJFcfD+dDhWueNjPZUWSCXznPPxJatO iXZm8ILlKwUkSKgL5apUvBxMe4Sk68zdwV0vSMCUh3PziRgAHA/d7txp0391oZU1 BhWD4mKYGo9ZVYywIk0oXyttLB0CNK+YT0WYP3rwy7/K5yj+iC9d8lqHLj00YwYB iNfswwPG+E/MbKxsJdqMfu4Glco8KL+MAs/7Nke4Ms1vWGktmAzHR1dIk9Z6A+59 MtkcvojVfoOJ6pI5AVDKIQ66tn08X1dEo8vnHuG6OlZcrtyC6wWAXGn6BqiX/IJS rCYoBteiCV8EJI0SZgk2hUSyLAfPpkt4KBko42FIgO4oHsASofe51ALYceKOSHp1 6TJBQ1JdWpPc1cl0lQxhRGcGXQ9n7gfE6mXY2NdNEFh9V5M8kTO/CafGgcwwHdF/ RF7cjYGw3BAei5B9e11qiIzqIe5SV7EB0xMjDfzQeloIOl+6SQQdzv0U3Kl/PNg5 WXraj6HuRM5KYLmSW5BXtV3ujBqnaVRH8YZ9/Hij7MFKN7eK6Kt8yzFqtLUiPywP 9lClzdt6No5g/YBB97eKMYBgFuHnTM9d/uTmtR/RBk6ItmRCgXc= =+HiS -----END PGP SIGNATURE-----
Hello Michael, > [snip] >>>> + >>>> +# limit authentication thresholds >>>> +LoginGraceTime 20s >>>> +MaxAuthTries 3 >>> >>> Three is definitely too little. I have three versions of my key (RSA, ECDSA and >>> Ed25519). After my client tried all of these, a password prompt won't be shown >>> any more. > >> Is 30 seconds enough (default setting in IPFire 2.x)? > > Yes I think so. I don't even see that there is a huge desire in a very > low limit. This only allows to brute-force a little bit faster. > However, the keys should be virtually un-brute-force-able and therefore > dividing the time you need to search by 10 isn't making any difference > in practise. Provided people are using SSH keys, yes. We have had that discussion. > >>> >>>> +MaxSessions 5 >>> >>> Per user? Why? > >> Because most users do not connect to a machine multiple times - at least not more >> than five times. Many active logins for one account are a clear indicator of compromise, >> especially if the account is only secured by a password. > > Well, true. But I often use an IPFire system as a jump host and for > that open multiple connections. Hm, have you tried something like this for jumping (snip from ~/.ssh/config): Host *.ipfire.org ProxyCommand ssh -q [proxy IP] nc %h %p It avoids open SSH sessions on systems, which need some scheduled downtime entries in my network (paranoia...), so I am very happy with this. :-) > >> OpenSSH default is 10, but this seems too high for me. > > This sounds good to me. All right, I will use this value. > >>> >>>> +# limit maximum instanctes >>>> +MaxStartups 5 >>>> + >>>> +# ensure proper logging >>>> +SyslogFacility AUTH >>>> +LogLevel INFO >>>> + >>>> +# always turn on strict mode >>>> +StrictModes yes >>> >>> The comment explains the option, but it should explain what it does. We have >>> discussed that before in another thread to a patch that only enabled this. > >> All right, comment will be adjusted in second version of this patch. This slipped my mind. >>> >>>> +# only allow safe crypto algorithms (may break some _very_ outdated clients) >>> >>> *How* outdated? From the 90s or last year? > >> I successfully tested this with OpenSSH 6.6 (released 15-03-2014) and most >> recent PuTTY 0.70 (released 08-07-2017). This leads me to the assumption more >> or less up to date clients (<= 1 year for PuTTY and <= 4 years for OpenSSH) >> can be used. > > Your first comment stated *very* outdated. One year isn't outdated. Talking about software updates, one year is _very_ outdated. Especially if you are running Windows. Assumption here is if a client cannot use a service because it is too old to support the cryptography required, it did not receive other important updates, too. > > PuTTY doesn't have an update mechanism and therefore will probably be > installed once and never updated on the average admin's machine. You are right and I gnashingly agree in case of normal distributions. Talking about a firewall system, I do not. Similar to TLS 1.2, which we enforced a few Core Updates ago, we should enforce strong cryptography for SSH. If an admin's machine does not support that because it is outdated, I couldn't care less. > >> In case a system is older than that, I doubt it can be considered secure anymore. > > Because of? Using RSA? Lack of updates (see above). RSA is a smaller (performance) problem in my eyes. > >>> >>>> +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html >>>> +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- >>>> sha256 >>>> +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr >>>> +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, >>>> umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com >>>> + >>>> +# enable data compression after successful login >>>> +Compression yes >>> >>> Is there any research on whether this still is safe? >>> >>> See: https://bugzilla.ipfire.org/show_bug.cgi?id=11819 > >> Not really. https://www.openssh.com/txt/release-4.2 states "delayed" more >> for compression is more secure as it avoids possible zlib vulnerabilities >> to unauthenticated users (Simple, but I was unaware of it.): > > That is a different attack then. ACK. Sorry for mixing things up here. > > The OpenVPN issue is about a known-plaintext attack which could also be > done (in theory - I think) on SSH unless they add any random padding > which would increase overhead and reduce the bandwidth savings of the > compression. > >>> Added a new compression method that delays the start of zlib >>> compression until the user has been authenticated successfully. >>> The new method ("Compression delayed") is on by default in the >>> server. This eliminates the risk of any zlib vulnerability >>> leading to a compromise of the server from unauthenticated users. > >> Compression does not seem to have security impact to a SSH connection itself. > >> Because of the security risk described above, I'd prefer "delayed" as a >> setting to this in a second version of the patch. > > That doesn't have anything to do with the stated attack, so I guess it > doesn't make much of a difference to me. > >>> >>>> [...]>> +# EOF > >> By the way: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16c31d10040db4f175642376b284a0f98609e19e >> sets 22 as default listen port for OpenSSH, so I did not include 222 anymore. Agreed? > > 22 is now default, but of course the switch on the webUI should still > work. Okay, thanks. Will send in a second version of this patch. Best regards, Peter Müller > [snip]-- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 2018-08-23 at 21:37 +0200, Peter Müller wrote: > Hello Michael, > > > [snip] > > > > > + > > > > > +# limit authentication thresholds > > > > > +LoginGraceTime 20s > > > > > +MaxAuthTries 3 > > > > > > > > Three is definitely too little. I have three versions of my key (RSA, ECDSA and > > > > Ed25519). After my client tried all of these, a password prompt won't be shown > > > > any more. > > > Is 30 seconds enough (default setting in IPFire 2.x)? > > > > Yes I think so. I don't even see that there is a huge desire in a very > > low limit. This only allows to brute-force a little bit faster. > > However, the keys should be virtually un-brute-force-able and therefore > > dividing the time you need to search by 10 isn't making any difference > > in practise. > > Provided people are using SSH keys, yes. We have had that discussion. Or very long passwords. > > > > > > > > > > > +MaxSessions 5 > > > > > > > > Per user? Why? > > > Because most users do not connect to a machine multiple times - at least not more > > > than five times. Many active logins for one account are a clear indicator of compromise, > > > especially if the account is only secured by a password. > > > > Well, true. But I often use an IPFire system as a jump host and for > > that open multiple connections. > > Hm, have you tried something like this for jumping (snip from ~/.ssh/config): > > Host *.ipfire.org > ProxyCommand ssh -q [proxy IP] nc %h %p > > It avoids open SSH sessions on systems, which need some scheduled downtime > entries in my network (paranoia...), so I am very happy with this. :-) No. > > > OpenSSH default is 10, but this seems too high for me. > > > > This sounds good to me. > > All right, I will use this value. > > > > > > > > > > > +# limit maximum instanctes > > > > > +MaxStartups 5 > > > > > + > > > > > +# ensure proper logging > > > > > +SyslogFacility AUTH > > > > > +LogLevel INFO > > > > > + > > > > > +# always turn on strict mode > > > > > +StrictModes yes > > > > > > > > The comment explains the option, but it should explain what it does. We have > > > > discussed that before in another thread to a patch that only enabled this. > > > All right, comment will be adjusted in second version of this patch. This slipped my mind. > > > > > > > > > +# only allow safe crypto algorithms (may break some _very_ outdated clients) > > > > > > > > *How* outdated? From the 90s or last year? > > > I successfully tested this with OpenSSH 6.6 (released 15-03-2014) and most > > > recent PuTTY 0.70 (released 08-07-2017). This leads me to the assumption more > > > or less up to date clients (<= 1 year for PuTTY and <= 4 years for OpenSSH) > > > can be used. > > > > Your first comment stated *very* outdated. One year isn't outdated. > > Talking about software updates, one year is _very_ outdated. Especially > if you are running Windows. Assumption here is if a client cannot use a > service because it is too old to support the cryptography required, it did > not receive other important updates, too. > > > > PuTTY doesn't have an update mechanism and therefore will probably be > > installed once and never updated on the average admin's machine. > > You are right and I gnashingly agree in case of normal distributions. Talking > about a firewall system, I do not. Similar to TLS 1.2, which we enforced a few > Core Updates ago, we should enforce strong cryptography for SSH. > > If an admin's machine does not support that because it is outdated, I couldn't care less. I do care here. In this order: Security, Interoperability, Usability. > > > In case a system is older than that, I doubt it can be considered secure anymore. > > > > Because of? Using RSA? > > Lack of updates (see above). RSA is a smaller (performance) problem in my eyes. So if there is a reason why RSA should not be used here anymore I would agree to drop it. Now, we are just diminishing interoperability without any gain in security. There is no point in that. Performance? How many logins do you perform a second? Thousands? This matters for HTTPS maybe with hundreds or thousands of handshakes per second but not for SSH. If you disable RSA in your client, you will still use the new fancy crypto stuff and save a couple of nanoseconds :) > > > > > > > > > > > +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html > > > > > +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange- > > > > > sha256 > > > > > +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr > > > > > +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com, > > > > > umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com > > > > > + > > > > > +# enable data compression after successful login > > > > > +Compression yes > > > > > > > > Is there any research on whether this still is safe? > > > > > > > > See: https://bugzilla.ipfire.org/show_bug.cgi?id=11819 > > > Not really. https://www.openssh.com/txt/release-4.2 states "delayed" more > > > for compression is more secure as it avoids possible zlib vulnerabilities > > > to unauthenticated users (Simple, but I was unaware of it.): > > > > That is a different attack then. > > ACK. Sorry for mixing things up here. > > > > The OpenVPN issue is about a known-plaintext attack which could also be > > done (in theory - I think) on SSH unless they add any random padding > > which would increase overhead and reduce the bandwidth savings of the > > compression. > > > > > > Added a new compression method that delays the start of zlib > > > > compression until the user has been authenticated successfully. > > > > The new method ("Compression delayed") is on by default in the > > > > server. This eliminates the risk of any zlib vulnerability > > > > leading to a compromise of the server from unauthenticated users. > > > Compression does not seem to have security impact to a SSH connection itself. > > > Because of the security risk described above, I'd prefer "delayed" as a > > > setting to this in a second version of the patch. > > > > That doesn't have anything to do with the stated attack, so I guess it > > doesn't make much of a difference to me. > > > > > > > > > > > [...]>> +# EOF > > > By the way: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=16c31d10040db4f175642376b284a0f98609e19e > > > sets 22 as default listen port for OpenSSH, so I did not include 222 anymore. Agreed? > > > > 22 is now default, but of course the switch on the webUI should still > > work. > > Okay, thanks. Will send in a second version of this patch. > > Best regards, > Peter Müller > > [snip]-- > > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt/7/YACgkQgHnw/2+Q CQdPNg/+IAdUX/6GUSrnWvu0JpQDCSs/VSlEm9alxiCiyEnbdRkQ5FsL5COfUAIC 30yME6yXKX07N7GK8pSNeu3jp9tAihfCF9W/trm20blgrfuoKPd6lamBywEWCZ4x RRNYtiDXMM9eT7dSFHKolSJNgzMMKme6wG7NXzgLJH/Cy9PJAxrJaplyu2cmpkTT aYHHW8SVNiUmnuOY/XD/2wCsvgk80X6AIczjt3i8q1ZS14NHqoKp8v4fBjwzELcZ tGjnKBHFedhy9/7sLggx11ieusAehGxlk+R7l9fAKxHL8IcGKtTpvtcB+cYBUzze RlAeo90xAaFk9mIv0W3i2MrBVWit1LMURiuUgkaQi3jJKr+TVlB7hqHiUjP+xVet X5wPnAmIE0rKqKI9umc9rA7/1lykclYZ8qVpcLBMu4Zzy0XYz0/YCyGUahNqKywJ YpyBzTOP6Ef2FoOqnpXQsDDJqNPqmSrtGgagA4ZyDylKPLi15rVHLGQMCI1AY+YR lvqLgLkpcf9K3QCi7D2d54ttVc7PN68Gd05KlcdI+u8/a2T7rtr99yM2rFkHnsDE i8S2TU72APO/qj9do4buW2c4IxqksOXuO8nlMkJaMK2C2RdavhYb41iXwBcnCFX0 R5yUMZsjhl64e4uZNEm6fxUygVcPdCgEUNVuycQvcQEGHgSxjzk= =p1Lz -----END PGP SIGNATURE-----
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config new file mode 100644 index 000000000..7acf48109 --- /dev/null +++ b/config/ssh/sshd_config @@ -0,0 +1,68 @@ +# ultra-secure OpenSSH server configuration + +# only allow version 2 of SSH protocol +Protocol 2 + +# listen on these interfaces and protocols +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: + +# limit authentication thresholds +LoginGraceTime 20s +MaxAuthTries 3 +MaxSessions 5 + +# limit maximum instanctes +MaxStartups 5 + +# ensure proper logging +SyslogFacility AUTH +LogLevel INFO + +# always turn on strict mode +StrictModes yes + +# only allow safe crypto algorithms (may break some _very_ outdated clients) +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# enable data compression after successful login +Compression yes + +# only allow cryptographically safe SSH host keys (adjust paths if needed) +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_rsa_key + +# only allow login via public key +PubkeyAuthentication yes +PasswordAuthentication no +ChallengeResponseAuthentication no +PermitEmptyPasswords no +AuthenticationMethods publickey + +# ignore user ~/.rhost* files +IgnoreRhosts yes + +# ignore user known hosts file +IgnoreUserKnownHosts yes + +# ignore user environments +PermitUserEnvironment no + +# do not allow any kind of forwarding (provides only low security) +# some of them might need to be re-enabled if SSH server is a jump platform +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitTunnel no +GatewayPorts no +PermitOpen none + +# close broken session (clients went offline, ...) automagically +TCPKeepAlive yes + +# EOF