mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-12-23 01:21:07 +01:00
Updated Fortinet FortiOS (markdown)
parent
0ddc9ae07b
commit
7c8add4ac3
@ -5,7 +5,7 @@ SSH into an appliance running FortiOS, or use a local serial connection in order
|
|||||||
## FortiOS >= 7.4.1
|
## FortiOS >= 7.4.1
|
||||||
|
|
||||||
```
|
```
|
||||||
# config system global
|
config system global
|
||||||
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
||||||
set ssh-hostkey-algo ssh-ed25519
|
set ssh-hostkey-algo ssh-ed25519
|
||||||
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
|
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
|
||||||
@ -20,7 +20,7 @@ Unless you have modified the defaults, you don't need to these, but you may stil
|
|||||||
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
||||||
|
|
||||||
```
|
```
|
||||||
# get system global | grep "ssh\|strong-crypto"
|
get system global | grep "ssh\|strong-crypto"
|
||||||
admin-ssh-grace-time: 120
|
admin-ssh-grace-time: 120
|
||||||
admin-ssh-password : enable
|
admin-ssh-password : enable
|
||||||
admin-ssh-port : 22
|
admin-ssh-port : 22
|
||||||
@ -32,10 +32,12 @@ ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.co
|
|||||||
strong-crypto : enable
|
strong-crypto : enable
|
||||||
```
|
```
|
||||||
|
|
||||||
## FortiOS 7.0.x / 7.2.x / 7.4.0
|
## FortiOS >= 7.0.2 / 7.2.x / 7.4.0
|
||||||
|
|
||||||
|
Starting FortiOS 7.0.2 several options have been renamed compared to previous releases.
|
||||||
|
|
||||||
```
|
```
|
||||||
# config system global
|
config system global
|
||||||
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
|
||||||
set ssh-kex-algo curve25519-sha256@libssh.org
|
set ssh-kex-algo curve25519-sha256@libssh.org
|
||||||
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
|
||||||
@ -49,7 +51,8 @@ Unless you have modified the defaults, you don't need to these, but you may stil
|
|||||||
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
* ``strong-crypto``: Should default to **enabled** since 6.4.5
|
||||||
|
|
||||||
```
|
```
|
||||||
# get system global | grep "ssh\|strong-crypto"
|
get system global | grep "ssh\|strong-crypto"
|
||||||
|
|
||||||
admin-ssh-grace-time: 120
|
admin-ssh-grace-time: 120
|
||||||
admin-ssh-password : enable
|
admin-ssh-password : enable
|
||||||
admin-ssh-port : 22
|
admin-ssh-port : 22
|
||||||
@ -60,6 +63,19 @@ ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.co
|
|||||||
strong-crypto : enable
|
strong-crypto : enable
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## FortiOS >= 6.4.5 < 7.0.2
|
||||||
|
|
||||||
|
After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**.
|
||||||
|
|
||||||
|
```
|
||||||
|
# config system global
|
||||||
|
set ssh-cbc-cipher disable
|
||||||
|
set ssh-hmac-md5 disable
|
||||||
|
set ssh-kex-sha1 disable
|
||||||
|
set ssh-mac-weak disable
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
## Limitations
|
## Limitations
|
||||||
|
|
||||||
In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons:
|
In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons:
|
||||||
|
Loading…
Reference in New Issue
Block a user