Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file.

About this task

If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

Procedure

  1. Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.

    Setting

    Status

    Server Daemon Protocol

    Protocol 2

    Ciphers

    Ciphers aes256-ctr,aes128-ctr

    TCP Forwarding

    AllowTCPForwarding no

    Server Gateway Ports

    Gateway Ports no

    X11 Forwarding

    X11Forwarding no

    SSH Service

    Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service.

    GSSAPI Authentication

    GSSAPIAuthentication no, if unused

    Kerberos Authentication

    KerberosAuthentication no, if unused

    Local Variables (AcceptEnv global option)

    Set to disabled by commenting out or enabled for only LC_* or LANG variables

    Tunnel Configuration

    PermitTunnel no

    Network Sessions

    MaxSessions 1

    Strict Mode Checking

    Strict Modes yes

    Privilege Separation

    UsePrivilegeSeparation yes

    rhosts RSA Authentication

    RhostsRSAAuthentication no

    Compression

    Compression delayed or Compression no

    Message Authentication code

    MACs hmac-sha1

    User Access Restriction

    PermitUserEnvironment no

  2. Save your changes and close the file.