Sshaudit hardening guideline + file manager

chris · January 14, 2022, 10:13am

Hello,
I would like to combine (some of) the hardening guide of sshaudit.com in combination with a working file manager. As soon as I apply the given rules my file manager get’s the ‘Unknown error’ as described here.
I’m on a fresh install of Ubuntu 20.04 LTS and the latest HestiaCP v1.5.4 (nginx only).
As @eris suggested I removed /etc/ssh/sshd.conf.d/ssh-audit_hardening.conf which works very well but if possible I would also like to further improve my ssh security.
Thanks in advance!

eris · January 14, 2022, 12:13pm

This are the default keys that are enabled
gssapikexalgorithms gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1-

ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1

kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

Check what the differences are and slowly test

chris · January 14, 2022, 9:37pm

Hi @eris, thank you so much! I was able to successfully execute step 1, 2 and 3 of the guideline and then compared your input with the guidelines in step 4 (“Restrict supported key exchange, cipher, and MAC algorithms”). I had to take out all nCiphers, nMACs and nKexAlgorithms only leaving the nHostKeyAlgorithms untouched:

echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com\n# hardening guide.\nHostKeyAlgorithms ssh-ed25519,[email protected],[email protected],[email protected],rsa-sha2-256,rsa-sha2-512,[email protected],[email protected]" > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

After executing this adjusted command my file manager still works as expected but unfortunately it doesn’t result in an A grade at sshaudit.com. I’m not sure which ones, of the ones you mentioned would effect the file manager.

Thanks again for your help!

eris · January 14, 2022, 10:10pm

We use for the file manger a “3rd” party app and that app is based on Flysystem + SFTP Adapter… SFTP Adapter - Flysystem

chris · January 14, 2022, 10:50pm

Thanks, I see that makes sense. So i’ll probably have to leave it as it is then, correct? Was going for that “A”

jlguerrero · January 15, 2022, 1:41am

You could submit a PR so we can all benefit from extra security

chris · January 15, 2022, 11:35am

Hi @jlguerrero, thanks I will!

jlguerrero · January 15, 2022, 12:28pm

Thank you!

system · February 14, 2022, 12:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.