Validate SSH hardening to address the vulnerabilities
46 views
Skip to first unread message
Kaushal Shriyan
May 25, 2021, 8:38:14 AM5/25/21
to openssh-...@mindrot.org
Hi,
I am running openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release
7.9.2009 (Core).
#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#rpm -qa | grep -i ssh
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-4.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
#
I have configured the below SSH configuration as part of hardening to
address vulnerabilities.
KexAlgorithms curve25519-sha256,curve255...@libssh.org
> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
> Ciphers chacha20...@openssh.com,aes25...@openssh.com,
> aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com
Is there a way to validate if the above Key exchange, Cipher and MAC
algorithms address the vulnerabilities? Please guide. Thanks in advance.
Best Regards,
Kaushal
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I am running openssh-server-7.4p1-21.el7.x86_64 on CentOS Linux release
7.9.2009 (Core).
#cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#rpm -qa | grep -i ssh
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-4.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
#
I have configured the below SSH configuration as part of hardening to
address vulnerabilities.
KexAlgorithms curve25519-sha256,curve255...@libssh.org
> ,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256
> Ciphers chacha20...@openssh.com,aes25...@openssh.com,
> aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com
Is there a way to validate if the above Key exchange, Cipher and MAC
algorithms address the vulnerabilities? Please guide. Thanks in advance.
Best Regards,
Kaushal
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Joseph S. Testa II
May 25, 2021, 2:56:12 PM5/25/21
to Kaushal Shriyan, openssh-...@mindrot.org
On Tue, 2021-05-25 at 18:04 +0530, Kaushal Shriyan wrote:
> Is there a way to validate if the above Key exchange, Cipher and MAC
> algorithms address the vulnerabilities?
For a command-line tool, see ssh-audit:
> Is there a way to validate if the above Key exchange, Cipher and MAC
> algorithms address the vulnerabilities?
https://github.com/jtesta/ssh-audit
For a web front-end that gives prettier results (and references):
https://www.ssh-audit.com/
- Joe
--
Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security
Reply all
Reply to author
Forward
0 new messages