Best practices for SSH configuration

Answer

Description

In order to properly secure your Aspera server which uses SSH for authentication purposes it is recommended to ensure your SSH server is configured according to best practices.

SSH configuration involves modifying the sshd_config file which can be found at the following location:

• Linux: /etc/ssh/sshd_config
• Mac: /etc/ssh/sshd_config
• Windows: C:\Program Files (x86)\Aspera\Enterprise Server\etc\sshd_config

Recommended configuration

#Port 22Port 33001Protocol 2PasswordAuthentication yesKexAlgorithms ecdh-sha2-nistp521ecdh-sha2-nistp384ecdh-sha2-nistp256diffie-hellman-group-exchange-sha256
Ciphers aes128-ctraes192-ctraes256-ctraes128-cbcaes192-cbcaes256-cbcMacs hmac-sha1hmac-sha2-256hmac-sha2-512MaxSessions 100MaxStartups 100UseDNS NoX11Forwarding No

Details

The above values are best practices to use for the following reasons (note that not all these values are necessarily appropriate for your system--if you are unsure contact Aspera Support):

#Port 22Port 33001

• Leaving Port 22 commented and adding Port 33001 disables port 22 for the use of SSH and enables port 33001. This is a best practice because port 22 is a well known SSH port and therefore a target for attacks. Port 33001 is Asperas standard port that all Aspera products know to look for.

Protocol 2

• Protocol 1 is a less secure SSH protocol therefore protocol 2 should be used.

PasswordAuthentication Yes

• This setting is appropriate if you have users that will not be using public key authentication and need to authenticate themselves with passwords. On some systems such as El Capitan on Mac this setting is required for SSH authentication to work on Aspera servers.

KexAlgorithms

• This setting specifies the Key Exchange algorithms SSH can use.

Ciphers

• This setting specifies the allowed ciphers for SSH. These are the recommended secure ciphers.

Macs

• This setting specifies the allowed message authentication code (Mac) algorithms. These are the recommended macs to allow.

MaxSessions 100

• This setting determines the maximum number of open shell sessions allowed per network connection.

MaxStartups 100

• This setting determines the maximum number of unauthenticated SSH connection attempts. In high concurrency environments having too low of a value causes SSH connection errors.

UseDNS No

• This setting specifies whether SSH should perform a lookup and check that a resolved remote hostname maps to the same IP address. A setting that doesnt add much security value it should simply be disabled.

X11Forwarding No

• This setting disables X11 forwarding which poses a security risk for users.