自 1995 年以來,特別是 SSHOpenSSH 伺服器[1999] 是管理者管理其 IT 環境的基本服務之一,例如 DNS [1985]。
2024 年如何正確強化 OpenSSH 伺服器的安全?
- Debian 12 與
OpenSSH_9.2, OpenSSL 3.0.11 19 Sep 2023- 全部應用建議,通過了標準測試但未通過“硬化”測試,說:
- 它不喜歡使用
[email protected] - 伺服器使用 8192 位元而不是 4096 位(越多越好?)
- 它不喜歡使用
- 全部應用建議,通過了標準測試但未通過“硬化”測試,說:
sshd_config:# Ports and Addresses: ## it is (probably) advisable to change this to something else but nothing ## beyond 1024 privileged ports? ## https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html #Port = 22 #AddressFamily = any #ListenAddress = 0.0.0.0 #ListenAddress = :: Include = /etc/ssh/sshd_config.d/*.conf # Logging ## it is disabled per default on Debian maybe because of brute force attacks ## spamming the logs? SyslogFacility = AUTH LogLevel = INFO # Authentication: Protocol = 2 StrictModes = yes LoginGraceTime = 3m MaxAuthTries = 3 ClientAliveInterval = 300 ClientAliveCountMax = 2 PermitRootLogin = no PermitEmptyPasswords = no PubkeyAuthentication = yes KbdInteractiveAuthentication = no UsePAM = no ## not so sure about this one ChallengeResponseAuthentication = no ## this has no effect? PasswordAuthentication = no ## good practice, but is it enough? AllowUsers = username X11Forwarding = no PrintMotd = no AcceptEnv LANG = LC_* X11Forwarding = no # override default of no subsystems ### Subsystem sftp = /usr/lib/openssh/sftp-server # Ciphers and keying KexAlgorithms = [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers = [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs = [email protected],[email protected],[email protected]
答案1
您的問題可能與錯誤報告中的問題相同
未知演算法:[電子郵件受保護]第228章。
如果相同,則據稱已於 2023 年 12 月 20 日添加了對它的支持 ssh-審計 v3.1.0。