Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file.

If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

1. Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.

   Setting	Status
   Server Daemon Protocol	Protocol 2
   Ciphers	aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   TCP Forwarding	AllowTCPForwarding no
   Server Gateway Ports	Gateway Ports no
   X11 Forwarding	X11Forwarding no
   SSH Service	Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to use the service.
   GSSAPI Authentication	GSSAPIAuthentication no, if unused
   Kerberos Authentication	KerberosAuthentication no, if unused
   Local Variables (AcceptEnv global option)	Set to disabled by commenting out or enabled for only LC_* or LANG variables
   Tunnel Configuration	PermitTunnel no
   Network Sessions	MaxSessions 1
   Strict Mode Checking	Strict Modes yes
   Privilege Separation	UsePrivilegeSeparation yes
   rhosts RSA Authentication	RhostsRSAAuthentication no
   Compression	Compression delayed or Compression no
   Message Authentication code	hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1
   User Access Restriction	PermitUserEnvironment no
   KexAlgorithms	diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

2. Save your changes and close the file.