Stranded Camel
Explorer
- Joined
- May 25, 2017
- Messages
- 79
I've just run this ssh-audit tool on my FreeNAS 11-4 box, and the results are abysmal (see end of post for results). In short, all the items marked `warn`, `fail` or `remove` need to be dealt with. I've done this on several Linux boxes, following this hardening guide, and the results were excellent.
So I want to harden my FreeNAS box. There are instructions for a version of OpenBSD there, so this should be eminently doable. My problem is that I simply don't understand how to go about this on FreeNAS, as most things are ephemeral, disappearing on your next boot. Can anybody lend a hand?
Thanks in advance!
SSH AUDIT RESULTS
So I want to harden my FreeNAS box. There are instructions for a version of OpenBSD there, so this should be eminently doable. My problem is that I simply don't understand how to go about this on FreeNAS, as most things are ephemeral, disappearing on your next boot. Can anybody lend a hand?
Thanks in advance!
SSH AUDIT RESULTS
Code:
$ ./ssh-audit.py localhost:22 # general (gen) banner: SSH-2.0-OpenSSH_7.4-hpn14v5 FreeBSD-openssh-portable-7.4.p1,1 (gen) software: OpenSSH 7.4 (hpn14v5) running on FreeBSD (gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+ (gen) compression: disabled # key exchange algorithms (kex) curve25519-sha256 -- [warn] unknown algorithm (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak) `- [info] available since OpenSSH 4.4 (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53 # host-key algorithms (key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28 (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2 (key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves `- [warn] using weak random number generator could reveal the key `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5 # encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5 `- [info] default cipher since OpenSSH 6.9. (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm `- [warn] using weak cipher mode `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28 (enc) none -- [fail] no encryption/integrity `- [info] available since OpenSSH 1.2.2, Dropbear SSH 2013.56 # message authentication code algorithms (mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size `- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm@openssh.com -- [warn] using weak hashing algorithm `- [info] available since OpenSSH 6.2 (mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode `- [warn] using small 64-bit tag size `- [info] available since OpenSSH 4.7 (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode `- [warn] using weak hashing algorithm `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28 # algorithm recommendations (for OpenSSH 7.4) (rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove (rec) -diffie-hellman-group-exchange-sha256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -ecdsa-sha2-nistp256 -- key algorithm to remove (rec) -none -- enc algorithm to remove (rec) -aes128-cbc -- enc algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha2-256 -- mac algorithm to remove (rec) -hmac-sha2-512 -- mac algorithm to remove (rec) -umac-64@openssh.com -- mac algorithm to remove (rec) -umac-128@openssh.com -- mac algorithm to remove (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove (rec) -umac-64-etm@openssh.com -- mac algorithm to remove $
Last edited by a moderator: