Best practices for SSH configuration

Description

In order to properly secure your Aspera server, which uses SSH for authentication purposes, it is recommended to ensure your SSH server is configured according to best practices.

SSH configuration involves modifying the sshd_config file, which can be found at the following location:

  • Linux: /etc/ssh/sshd_config
  • Mac: /etc/ssh/sshd_config
  • Windows: C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config

Recommended configuration

#Port 22
Port 33001
Protocol 2
PasswordAuthentication yes
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512 MaxSessions 100 MaxStartups 100 UseDNS No X11Forwarding No

Details

The above values are best practices to use, for the following reasons (note that not all these values are necessarily appropriate for your system--if you are unsure, contact Aspera Support):

#Port 22
Port 33001
  • Leaving Port 22 commented and adding Port 33001 disables port 22 for the use of SSH and enables port 33001. This is a best practice because port 22 is a well known SSH port and therefore a target for attacks. Port 33001 is Aspera’s standard port that all Aspera products know to look for.
Protocol 2
  • Protocol 1 is a less secure SSH protocol, therefore protocol 2 should be used.
PasswordAuthentication Yes
  • This setting is appropriate if you have users that will not be using public key authentication and need to authenticate themselves with passwords. On some systems, such as El Capitan on Mac, this setting is required for SSH authentication to work on Aspera servers.
KexAlgorithms
  • This setting specifies the Key Exchange algorithms SSH can use. The algorithms set here are among the most secure, particularly diffie-hellman-SHA1.
Ciphers
  • This setting specifies the allowed ciphers for SSH. These are the recommended secure ciphers.
Macs
  • This setting specifies the allowed message authentication code (Mac) algorithms. These are the recommended macs to allow.
MaxSessions 100
  • This setting determines the maximum number of open shell sessions allowed per network connection.
MaxStartups 100
  • This setting determines the maximum number of unauthenticated SSH connection attempts. In high concurrency environments having too low of a value causes SSH connection errors.
UseDNS No
  • This setting specifies whether SSH should perform a lookup and check that a resolved remote hostname maps to the same IP address. A setting that doesn’t add much security value, it should simply be disabled.
X11Forwarding No
  • This setting disables X11 forwarding, which poses a security risk for users.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk