Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend Legend
Legend

BSI recommended SSH hardening

The German BSI (Federal Office for Information Security) is a main source for IT security recommendations in Europe. Based on its Technical Guideline TR-02102-4_ Cryptographic Mechanisms: Recommendations and Key Lengths – Use of S..., i have tried to harden SSH on my R81.20 Gateway using the suggested cryptographic protocols that should be safe until 2029+. This has resulted in the following configuration:

GW8120> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
aes128-gcm@openssh.com
aes256-gcm@openssh.com
--------------------------------
GW8120> show ssh server kex enabled
--------------------------------
enabled kex:
--------------------------------
diffie-hellman-group16-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
--------------------------------
GW8120> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
-------------------------------- 

 I would like to receive comments, additions and critical statements concerning SSH cryptographic protocols in CP products!

Additional note: Suggested secure ciphers also include aes128-ctr, aes192-ctr and aes256-ctr, but the recommendation is AEAD_AES_128_GCM and AEAD_AES_256_GCM.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
7 Replies
PhoneBoy
Admin
Admin

R81.20 has a newer version of OpenSSH that supports more recent ciphers than earlier releases.
And has commands built into clish to manage them 🙂

G_W_Albrecht
Legend Legend
Legend

That is true - i am writing about R81.20 and using these CLISH commands as seen above.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Blason_R
Leader
Leader

Hmm - Thanks for the information but I being a linux geek always prefer to modify sshd.conf or in checkpoint case may be edit sshd templates file?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend

From my R81.20 jumbo 14 lab:

quantum-firewall> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
--------------------------------
quantum-firewall> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
quantum-firewall>

0 Kudos
G_W_Albrecht
Legend Legend
Legend

See the linked doc for recommended macs. But why do you post your settings instead of comments or additions as requested?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes, see sk106031: How to change SSH encryption protocols and Message Authentication Code settings! For small changes the clish commands do come handy...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Good to know 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events