自 1995 年以来,SSH 尤其OpenSSH 服务器[1999] 是与 DNS [1985] 类似的基本服务之一,可供管理员管理其 IT 环境。
如何在 2024 年正确保护 OpenSSH 服务器的安全?
- Debian 12 带有
OpenSSH_9.2, OpenSSL 3.0.11 19 Sep 2023- 已应用全部建议,通过了标准测试,但未通过“强化”测试,并表示:
- 它不喜欢使用
[email protected] - 服务器使用的是 8192 位,而不是 4096 位(越多越好?)
- 它不喜欢使用
- 已应用全部建议,通过了标准测试,但未通过“强化”测试,并表示:
sshd_config:# Ports and Addresses: ## it is (probably) advisable to change this to something else but nothing ## beyond 1024 privileged ports? ## https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html #Port = 22 #AddressFamily = any #ListenAddress = 0.0.0.0 #ListenAddress = :: Include = /etc/ssh/sshd_config.d/*.conf # Logging ## it is disabled per default on Debian maybe because of brute force attacks ## spamming the logs? SyslogFacility = AUTH LogLevel = INFO # Authentication: Protocol = 2 StrictModes = yes LoginGraceTime = 3m MaxAuthTries = 3 ClientAliveInterval = 300 ClientAliveCountMax = 2 PermitRootLogin = no PermitEmptyPasswords = no PubkeyAuthentication = yes KbdInteractiveAuthentication = no UsePAM = no ## not so sure about this one ChallengeResponseAuthentication = no ## this has no effect? PasswordAuthentication = no ## good practice, but is it enough? AllowUsers = username X11Forwarding = no PrintMotd = no AcceptEnv LANG = LC_* X11Forwarding = no # override default of no subsystems ### Subsystem sftp = /usr/lib/openssh/sftp-server # Ciphers and keying KexAlgorithms = [email protected],curve25519-sha256,[email protected],gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers = [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs = [email protected],[email protected],[email protected]
答案1
您的问题可能与错误报告中的问题相同
未知算法:[电子邮件保护]#228。
如果相同,则据称已于 2023 年 12 月 20 日在 ssh-审计 v3.1.0。