Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file.

If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

Procedure

  1. Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.
    Setting Status
    Server Daemon Protocol Protocol 2
    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    TCP Forwarding AllowTCPForwarding no
    Server Gateway Ports Gateway Ports no
    X11 Forwarding X11Forwarding no
    SSH Service Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to use the service.
    GSSAPI Authentication GSSAPIAuthentication no, if unused
    Kerberos Authentication KerberosAuthentication no, if unused
    Local Variables (AcceptEnv global option) Set to disabled by commenting out or enabled for only LC_* or LANG variables
    Tunnel Configuration PermitTunnel no
    Network Sessions MaxSessions 1
    Strict Mode Checking Strict Modes yes
    Privilege Separation UsePrivilegeSeparation yes
    rhosts RSA Authentication RhostsRSAAuthentication no
    Compression Compression delayed or Compression no
    Message Authentication code hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
    User Access Restriction PermitUserEnvironment no
    KexAlgorithms diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
  2. Save your changes and close the file.