Dear SSH Guru's, Whilst reading the recent "Stribika" article [1] on tweaking the ssh algorithms I decided to mimic this and some other tweaks to my sshd config. Well it did one thing for sure, stopping most SSH brute force / scanners. Besides the normal User xxx from yyy not allowed because not in AllowUsers, or the failures due to public key only the logs are now filled with: Jan 12 20:17:28 <<REMOVED>> sshd[8888]: fatal: Unable to negotiate a key exchange method [preauth] Jan 12 20:19:16 <<REMOVED>> sshd[8890]: fatal: Unable to negotiate a key exchange method [preauth] So the scanners don't support my selections of algorithms. Which is fine as well, but there is no source IP logged. Now I'm far from proficient in C, but reading correctly this is triggered from kex.c in the function choose_kex, which reading the various calls to this doesn't pass the source IP. This is assumed to be the reason why the IP is not logged, but maybe a good addition nevertheless? Based on my lack of C skills, no patch from myside apologies. Stijn P.S. whether below algorithms make things more secure depends on each persons view / the goals to be achieved. But the lack of source IP is hindering detection and fail2ban like protection. [maint@<<REMOVED>> ~]$ sshd -v unknown option -- v OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] [maint@<<REMOVED>> ~]$ grep -v -e ^# -e ^$ /etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key UsePrivilegeSeparation yes KeyRegenerationInterval 600 ServerKeyBits 2048 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes MaxStartups 10:30:60 Banner /etc/issue.net DebianBanner no UseDNS no AllowTcpForwarding no GatewayPorts no AllowUsers <<REMOVED>> AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes AuthenticationMethods publickey KexAlgorithms curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aes128-gcm@xxxxxxxxxxx,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256-etm@xxxxxxxxxxx,hmac-ripemd160-etm@xxxxxxxxxxx,umac-128-etm@xxxxxxxxxxx [1] https://stribika.github.io/2015/01/04/secure-secure-shell.html -- Yours Sincerely / Met Vriendelijke groet, Stijn Jonker SJCJonker@xxxxxx
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev