Control Web Panel

WebPanel => Problems on other RedHat linux servers => Topic started by: KenobiSky on January 22, 2025, 12:34:04 AM

Title: How to Adjust my SSH Server ? Almalinux 8
Post by: KenobiSky on January 22, 2025, 12:34:04 AM

Greetings everyone.
I have used SSH-audit package to determine any flaws on my SSH server settings.
https://github.com/jtesta/ssh-audit (https://github.com/jtesta/ssh-audit)

I have got the following recommendations:

Quote

# algorithm recommendations (for OpenSSH 8.0)
(rec) -aes128-cbc                           -- enc algorithm to remove
(rec) -aes256-cbc                           -- enc algorithm to remove
(rec) -diffie-hellman-group-exchange-sha1   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) -ssh-rsa                              -- key algorithm to remove
(rec) +aes192-ctr                           -- enc algorithm to append
(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-128@openssh.com                 -- mac algorithm to remove

Can I use the following tutorial to fix it or CWP Pro or Almalinux8 requires another procedure?

https://www.ssh-audit.com/hardening_guides.html#debian_12 (https://www.ssh-audit.com/hardening_guides.html#debian_12)

Title: Re: How to Adjust my SSH Server ? Almalinux 8
Post by: Starburst on January 22, 2025, 01:12:29 AM

There are instructions ay the link for Rocky 9 and RHEL8.

So those will work on AlmaLinux 8 and 9.

But remember always crate a backup of the confg file, BEFORE making any changes.

Snapshots are even better.


firewall-cmd isn't used on CWP server, in fact it disables it for CSF/LFD.

Title: Re: How to Adjust my SSH Server ? Almalinux 8
Post by: KenobiSky on January 22, 2025, 01:27:41 AM

Thanks for the reply. I followed the tutorial but im still getting this:

Quote

# algorithm recommendations (for OpenSSH 8.0)
(rec) -ecdh-sha2-nistp256                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384                   -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521                   -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256                  -- key algorithm to remove
(rec) -ssh-rsa                              -- key algorithm to remove
(rec) -diffie-hellman-group14-sha1          -- kex algorithm to remove
(rec) -hmac-sha1                            -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com            -- mac algorithm to remove
(rec) -hmac-sha2-256                        -- mac algorithm to remove
(rec) -hmac-sha2-512                        -- mac algorithm to remove
(rec) -umac-128@openssh.com                 -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com              -- mac algorithm to remove
(rec) -umac-64@openssh.com                  -- mac algorithm to remove

Title: Re: How to Adjust my SSH Server ? Almalinux 8
Post by: Starburst on January 22, 2025, 02:03:12 AM

Here is some light reading for you, for when you can't fall asleep.  :o

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-hardening_tls_configuration#sec-Choosing_Algorithms_to_Enable (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-hardening_tls_configuration#sec-Choosing_Algorithms_to_Enable)
--
https://community.centminmod.com/threads/openssh-chacha20-ciphers-for-terrapin-security-vulnerability-attacks.25043/ (https://community.centminmod.com/threads/openssh-chacha20-ciphers-for-terrapin-security-vulnerability-attacks.25043/)
--
https://serverfault.com/questions/1148295/tls-cipher-suites-ordering (https://serverfault.com/questions/1148295/tls-cipher-suites-ordering)
--
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#setting-up-system-wide-crypto-policies-in-the-web-console_using-the-system-wide-cryptographic-policies (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#setting-up-system-wide-crypto-policies-in-the-web-console_using-the-system-wide-cryptographic-policies)

Scroll down to 3.6.1 Open SSH
--
And IF you want to open a can of worms and headaches...
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4823.pdf (https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4823.pdf)

--

Then once done with SSH, you have Apache to configure...