mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 01:21:07 +01:00
Add references, try simplifying
parent
7780fe0314
commit
5d061fc2ca
@ -4,10 +4,17 @@ SSH into an appliance running FortiOS, or use a local serial connection in order
|
|||||||
|
|
||||||
## FortiOS >= 7.4.1
|
## FortiOS >= 7.4.1
|
||||||
|
|
||||||
Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are available.
|
Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are configurable.
|
||||||
|
|
||||||
```
|
```
|
||||||
config system global
|
config system global
|
||||||
|
|
||||||
|
# These commands shoulnd't change default settings
|
||||||
|
set admin-ssh-v1 disable
|
||||||
|
set strong-crypto enable
|
||||||
|
|
||||||
|
# These commands represent the default settings
|
||||||
|
set dh-params 8192
|
||||||
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
||||||
set ssh-hostkey-algo ssh-ed25519
|
set ssh-hostkey-algo ssh-ed25519
|
||||||
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
|
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
|
||||||
@ -15,62 +22,50 @@ set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
|||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
**Checking the defaults**
|
**References:**
|
||||||
|
|
||||||
Unless you have modified the defaults, you don't need to these, but you may still want to check them:
|
* [Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.1/cli-reference/1620)
|
||||||
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5
|
* [Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/1620)
|
||||||
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
|
||||||
|
|
||||||
```
|
|
||||||
get system global | grep "ssh\|strong-crypto"
|
|
||||||
admin-ssh-grace-time: 120
|
|
||||||
admin-ssh-password : enable
|
|
||||||
admin-ssh-port : 22
|
|
||||||
admin-ssh-v1 : disable
|
|
||||||
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
|
||||||
ssh-hostkey-algo : ssh-ed25519
|
|
||||||
ssh-kex-algo : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
|
|
||||||
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
|
||||||
strong-crypto : enable
|
|
||||||
```
|
|
||||||
|
|
||||||
## FortiOS >= 7.0.2 / 7.2.x / 7.4.0
|
## FortiOS >= 7.0.2 / 7.2.x / 7.4.0
|
||||||
|
|
||||||
Starting FortiOS 7.0.2 several options have been renamed compared to previous releases.
|
Starting with FortiOS 7.0.2 ciphers become individually configurable, several options have been renamed compared to previous releases.
|
||||||
|
|
||||||
```
|
```
|
||||||
config system global
|
config system global
|
||||||
|
|
||||||
|
# These commands shoulnd't change default settings
|
||||||
|
set admin-ssh-v1 disable
|
||||||
|
set strong-crypto enable
|
||||||
|
|
||||||
|
# These commands change default settings
|
||||||
|
set dh-params 8192
|
||||||
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
||||||
set ssh-kex-algo curve25519-sha256@libssh.org
|
set ssh-kex-algo curve25519-sha256@libssh.org
|
||||||
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
||||||
|
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
**Checking the defaults**
|
**References**
|
||||||
|
|
||||||
Unless you have modified the defaults, you don't need to these, but you may still want to check them:
|
* [Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol](https://docs.fortinet.com/document/fortigate/7.0.0/new-features/765236/enabling-individual-ciphers-in-the-ssh-administrative-access-protocol-7-0-2)
|
||||||
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5
|
* [Fortinet document library: FortiGate / FortiOS 7.0.2 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/1620)
|
||||||
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
* [Fortinet document library: FortiGate / FortiOS 7.0.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/1620)
|
||||||
|
|
||||||
```
|
## FortiOS >= 5.6.0 <= 7.0.1
|
||||||
get system global | grep "ssh\|strong-crypto"
|
|
||||||
|
|
||||||
admin-ssh-grace-time: 120
|
Starting with _at least_ FortiOS 5.6.0 ``strong-crypto`` defaults to **enable** and SSHv1 defaults to disabled.
|
||||||
admin-ssh-password : enable
|
|
||||||
admin-ssh-port : 22
|
|
||||||
admin-ssh-v1 : disable
|
|
||||||
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
|
||||||
ssh-kex-algo : curve25519-sha256@libssh.org
|
|
||||||
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
|
||||||
strong-crypto : enable
|
|
||||||
```
|
|
||||||
|
|
||||||
## FortiOS >= 6.4.5 < 7.0.2
|
|
||||||
|
|
||||||
After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**.
|
|
||||||
|
|
||||||
```
|
```
|
||||||
config system global
|
config system global
|
||||||
|
|
||||||
|
# These commands shoulnd't change default settings
|
||||||
|
set admin-ssh-v1 disable
|
||||||
|
set strong-crypto enable
|
||||||
|
|
||||||
|
# These commands change default settings
|
||||||
|
set dh-params 8192
|
||||||
set ssh-cbc-cipher disable
|
set ssh-cbc-cipher disable
|
||||||
set ssh-hmac-md5 disable
|
set ssh-hmac-md5 disable
|
||||||
set ssh-kex-sha1 disable
|
set ssh-kex-sha1 disable
|
||||||
@ -78,8 +73,16 @@ set ssh-mac-weak disable
|
|||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
|
**References**
|
||||||
|
|
||||||
|
* [Fortinet document library: FortiGate / FortiOS 6.4.0 > Hardening your FortiGate > Building security into FortiOS](http://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/building-security-into-fortios)
|
||||||
|
* [Fortinet document library: FortiGate / FortiOS 6.2.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
|
||||||
|
* [Fortinet document library: FortiGate / FortiOS 6.0.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
|
||||||
|
* [Fortinet document library: FortiGate / FortiOS 5.6.0 > Hardening your FortiGate](https://docs.fortinet.com/document/fortigate/5.6.0/hardening-your-fortigate/995103)
|
||||||
|
|
||||||
## Limitations
|
## Limitations
|
||||||
|
|
||||||
In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons:
|
In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:
|
||||||
|
|
||||||
* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.
|
* Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
|
||||||
|
* Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.
|
Loading…
Reference in New Issue
Block a user