This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G_W_Albrecht
Legend
Legend
‎2023-06-06 02:50 AM

BSI recommended SSH hardening

The German BSI (Federal Office for Information Security) is a main source for IT security recommendations in Europe. Based on its Technical Guideline TR-02102-4_ Cryptographic Mechanisms: Recommendations and Key Lengths – Use of S..., i have tried to harden SSH on my R81.20 Gateway using the suggested cryptographic protocols that should be safe until 2029+. This has resulted in the following configuration:

GW8120> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
aes128-gcm@openssh.com
aes256-gcm@openssh.com
--------------------------------
GW8120> show ssh server kex enabled
--------------------------------
enabled kex:
--------------------------------
diffie-hellman-group16-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
--------------------------------
GW8120> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
-------------------------------- 

 I would like to receive comments, additions and critical statements concerning SSH cryptographic protocols in CP products!

Additional note: Suggested secure ciphers also include aes128-ctr, aes192-ctr and aes256-ctr, but the recommendation is AEAD_AES_128_GCM and AEAD_AES_256_GCM.

CCSE CCTE CCSM SMB Specialist
7 Replies
PhoneBoy
Admin
Admin
‎2023-06-06 12:47 PM

R81.20 has a newer version of OpenSSH that supports more recent ciphers than earlier releases.
And has commands built into clish to manage them 🙂

G_W_Albrecht
Legend
Legend
‎2023-06-06 02:09 PM
In response to PhoneBoy

That is true - i am writing about R81.20 and using these CLISH commands as seen above.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Blason_R
Leader
Leader
‎2023-06-06 07:54 PM
In response to G_W_Albrecht

Hmm - Thanks for the information but I being a linux geek always prefer to modify sshd.conf or in checkpoint case may be edit sshd templates file?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend
‎2023-06-06 09:18 PM
In response to Blason_R

From my R81.20 jumbo 14 lab:

quantum-firewall> show ssh server cipher enabled
--------------------------------
enabled cipher:
--------------------------------
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
--------------------------------
quantum-firewall> show ssh server mac enabled
--------------------------------
enabled mac:
--------------------------------
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
--------------------------------
quantum-firewall>

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-06-07 12:08 AM
In response to the_rock

See the linked doc for recommended macs. But why do you post your settings instead of comments or additions as requested?

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-06-07 12:23 AM
In response to Blason_R

Yes, see sk106031: How to change SSH encryption protocols and Message Authentication Code settings! For small changes the clish commands do come handy...

CCSE CCTE CCSM SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-06-06 06:40 PM
In response to PhoneBoy

Good to know 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events