I would like to combine (some of) the hardening guide of sshaudit.com in combination with a working file manager. As soon as I apply the given rules my file manager get’s the ‘Unknown error’ as described here.
I’m on a fresh install of Ubuntu 20.04 LTS and the latest HestiaCP v1.5.4 (nginx only).
As @eris suggested I removed /etc/ssh/sshd.conf.d/ssh-audit_hardening.conf which works very well but if possible I would also like to further improve my ssh security.
Thanks in advance!
This are the default keys that are enabled
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Check what the differences are and slowly test
Hi @eris, thank you so much! I was able to successfully execute step 1, 2 and 3 of the guideline and then compared your input with the guidelines in step 4 (“Restrict supported key exchange, cipher, and MAC algorithms”). I had to take out all nCiphers, nMACs and nKexAlgorithms only leaving the nHostKeyAlgorithms untouched:
echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
After executing this adjusted command my file manager still works as expected but unfortunately it doesn’t result in an A grade at sshaudit.com. I’m not sure which ones, of the ones you mentioned would effect the file manager.
Thanks again for your help!
We use for the file manger a “3rd” party app and that app is based on Flysystem + SFTP Adapter… SFTP Adapter - Flysystem
Thanks, I see that makes sense. So i’ll probably have to leave it as it is then, correct? Was going for that “A”
You could submit a PR so we can all benefit from extra security
Hi @jlguerrero, thanks I will!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.