Where possible, all VMware appliances have a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service settings in the global options section of the configuration file.

About this task

If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

Procedure

  1. Open the /etc/ssh/sshd_config server configuration file on the VMware appliance, and verify that the settings are correct.

    Setting

    Status

    Server Daemon Protocol

    Protocol 2

    CBC Ciphers

    aes256-ctr and aes128-ctr

    TCP Forwarding

    AllowTCPForwarding no

    Server Gateway Ports

    Gateway Ports no

    X11 Forwarding

    X11Forwarding no

    SSH Service

    Use the AllowGroups field and specify a group permitted access. Add appropriate members to this group.

    GSSAPI Authentication

    GSSAPIAuthentication no, if unused

    Keberos Authentication

    KeberosAuthentication no, if unused

    Local Variables (AcceptEnv global option)

    Set to disabled by commenting out or enabled for LC_* or LANG variables

    Tunnel Configuration

    PermitTunnel no

    Network Sessions

    MaxSessions 1

    User Concurrent Connections

    Set to 1 for root and any other user. The /etc/security/limits.conf file also needs to be configured with the same setting.

    Strict Mode Checking

    Strict Modes yes

    Privilege Separation

    UsePrivilegeSeparation yes

    rhosts RSA Authentication

    RhostsESAAuthentication no

    Compression

    Compression delayed or Compression no

    Message Authentication code

    MACs hmac-sha1

    User Access Restriction

    PermitUserEnvironment no

  2. Save your changes and close the file.