In order to properly secure your Aspera server, which uses SSH for authentication purposes, it is recommended to ensure your SSH server is configured according to best practices.
SSH configuration involves modifying the
sshd_config file, which can be found at the following location:
C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config
#Port 22 Port 33001 Protocol 2 PasswordAuthentication yes KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512 MaxSessions 100 MaxStartups 100 UseDNS No X11Forwarding No
The above values are best practices to use, for the following reasons (note that not all these values are necessarily appropriate for your system--if you are unsure, contact Aspera Support):
#Port 22 Port 33001
- Leaving Port 22 commented and adding Port 33001 disables port 22 for the use of SSH and enables port 33001. This is a best practice because port 22 is a well known SSH port and therefore a target for attacks. Port 33001 is Aspera’s standard port that all Aspera products know to look for.
- Protocol 1 is a less secure SSH protocol, therefore protocol 2 should be used.
- This setting is appropriate if you have users that will not be using public key authentication and need to authenticate themselves with passwords. On some systems, such as El Capitan on Mac, this setting is required for SSH authentication to work on Aspera servers.
- This setting specifies the Key Exchange algorithms SSH can use. The algorithms set here are among the most secure, particularly diffie-hellman-SHA1.
- This setting specifies the allowed ciphers for SSH. These are the recommended secure ciphers.
- This setting specifies the allowed message authentication code (Mac) algorithms. These are the recommended macs to allow.
- This setting determines the maximum number of open shell sessions allowed per network connection.
- This setting determines the maximum number of unauthenticated SSH connection attempts. In high concurrency environments having too low of a value causes SSH connection errors.
- This setting specifies whether SSH should perform a lookup and check that a resolved remote hostname maps to the same IP address. A setting that doesn’t add much security value, it should simply be disabled.
- This setting disables X11 forwarding, which poses a security risk for users.