Git/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2025-01-26 18:09:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add the hardening guide

Immánuel! 2020-06-01 10:00:53 +02:00
parent 3ddc4a835f
commit 2ef7650447
1 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
OPNsense-20.1.2-and-newer.md

@ -1 +1,47 @@
SSH hardening guide: OPNsense 20.1.2 and newer
![OPNsense logo](https://upload.wikimedia.org/wikipedia/commons/thumb/2/2a/OpnSense_Logo.png/300px-OpnSense_Logo.png)
https://opnsense.org | https://github.com/opnsense
> OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
# SSH hardening guide for OPNsense 20.1.2 and newer
Some of the SSH hardening recommendations from https://www.ssh-audit.com/hardening_guides.html can be set directly on the OPNsense web interface in the `System -> Settings -> Administration -> Secure Shell` menu.
As of 2020-06-01, you can tune the following SSH settings:
- Enable/Disable the SSH server
- Limit the user group who can login over SSH
- Allow/Disallow root user login
- Allow/Disallow password login (set up user keys in `System -> Access -> Users -> Add/Edit user -> Authorized keys`
- Configure an alternative SSH port
- Limit the interfaces the SSH server listens on
- Select the allowed key exchange algorithms _(see how to enable the feature below)_
- Select the allowed ciphers _(see how to enable the feature below)_
- Select the allowed MACs _(see how to enable the feature below)_
- Select the allowed host key algorithms _(see how to enable the feature below)_
![OPNsense SSH settings](https://i.imgur.com/nz3AUKb.png)
OPNsense has included the basic SSH options on its web interface from the beginning, but you could not tune the SSH algorithms recommended by the `ssh-audit` tool easily. Various hacky solutions existed that involved modifying automatically generated core files or the original template files that might get lost over an upgrade.
Since OPNsense 20.1.2, you can tune the algorithms used by SSH directly in the web admin:
- Starting from OPNsense 20.1.2 but not including 20.7 and newer, you need to apply a couple of official OPNsense patches _(see below)_
- For OPNsense 20.7 and newer, these settings will be included in the core by default. The settings were implemented in https://github.com/opnsense/core/issues/3975 and are added to the 20.7 milestone to be released soon.
The provided SSH algorithm selectors are still not the final solution as the selected algorithms' applied order in the generated configuration is defined by their display order on the form (a limitation of the current UI kit). However, for an advanced user, these provide the possibility to select only the most hardened options as to their liking. OPNsense is probably not used as a jump-host by many users - if an administrator can connect with latest `openssh` release over the hardest supported algorithms, it should be fine.
## OPNsense 20.1.2+ (until 20.7)
Until the new SSH algorithm settings are released in OPNsense 20.7, users can enable them by running these commands on their OPNsense box/vm:
```bash
opnsense-patch 5df590c
opnsense-patch 1165119
service configd restart
```
As there are no ordering in the chosen algorithms, advanced users that tune these settings should pick their choices to be the most hard that their SSH clients support.
## OPNsense 20.7+
The new algorithm settings will be released with OPNsense 20.7 by default according to the above Github issue. If you have OPNsense 20.7 or newer, these settings should be available for you on the web interface out of the box.