General instructions

To ensure the necessary system security settings, it is recommended to perform the following steps:

Disable root access to the server

Unlike other Linux distributions, the root account is disabled in Ubuntu by default. If root is still enabled, disable it with the command:

sudo passwd -l root

Enable SSH key access only

In /etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

Use secure rsa -b 4096 keys

sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -o -a 100 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

Automatic password generation for SIP users

...

The ECSS-10 system has the ability to generate passwords that meet the recommended security requirements when creating SIP subscribers.

...

Без форматирования

admin@mycelium1@ecss1:/$ domain/biysk.local/sip/user/info loc.gr 240800@biysk.local 1 make users list ... [**********************************************************************] 19mks 1 users information read ... [**********************************************************************] 14ms Executed on the sip1@ecss1 ┌─────────────────────┬─────────────────────────────────────────────┐ │ User │ 240800@biysk.local │ ├─────────────────────┼─────────────────────────────────────────────┤ │internal iface name │062bc20adc06e101 │ │isActive │false │ │group │loc.gr │ │authentication │sip3854240800:uc7cXcnuyunu (ds) use qop: true│ ...

Change passwords to secure

After installing the ECSS, the admin user with the standard password password is automatically created by default to access CLI and web configurator.

...

sudo dpkg-reconfigure ecss-mysql

Use SBC, configure firewall, ACL

It is recommended to configure your firewall so that Restfs is accessible only from the server itself and is not accessible externally.

If the server or SBC has direct access to the Internet or a corporate network, where various attempts of unauthorized requests or DDoS attacks are possible, configure a list of allowed IP or subnets from which access to certain ports is allowed. For the rest, access should be prohibited. If the complex has SBC, then it has already implemented the necessary functionality to protect against external attacks — a dynamic firewall with a mechanism for recognizing attacks and unauthorized access attempts. In SBC, you can also configure black/white lists of subnets for both management and SIP access.

Update Ubuntu and server utilities when a security pack is released

It is recommended to perform periodic system updates, especially when releasing fresh versions of packages that improve security functionality.

Configuring OpenSSH Security

The openssh-client openssh-server packages or the ssh meta-package including the client and server must be installed on the ECSS servers.

Configuring SSH server and client

OpenSSH server configuration is described in the /etc/ssh/sshd_config file. For more complete security, change some of the default settings.

...

In OpenSSH 7.0 and older, SSH 1.0 protocol support is disabled by default at compile time. Similarly, support for 1024-bit diffie-hellman-group1-sha1 keys, ssh-dss, ssh-dss-cert-* hosts and user keys is no longer activated during compilation by default. The v00 certificate format is not supported, and the PermitRootLogin option has changed the default value from yes to prohibit-password.

Key Exchange

To use only trustworthy key exchange protocols in /etc/ssh/sshd_config for the server, specify:

...

Host * 
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha25

Authentication

SSH supports four public key authentication algorithms: DSA, ECDSA, Ed25519 and RSA.

...

sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
sudo ssh-keygen -o -a 100 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key

Symmetric ciphers

Of the 15 symmetric encryption algorithms supported in SSH  to organize the protection of the established communication channel, chacha20-poly1305, aes*-ctr and aes*-gcm can be considered secure. The 3des-cbc and arcfour ciphers are potentially vulnerable due to the use of DES and RC4, and cast128-cbc uses too short block size (64 bits).

...

Host * 
    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

Message Authenticity Code (MAC)

For ciphers in CTR mode, to guarantee the integrity of the transmitted blocks, only the Encrypt-then-MAC method is trusted ("*-etm", MAC is added to the already encrypted block). The MAC-then-encrypt and Encrypt-and-MAC methods are potentially susceptible to attacks. Of the 18 MAC algorithms available in SSH, you should immediately discard those based on MD5 and SHA1 hashes that are not resistant to detecting collisions, as well as algorithms using key sizes less than 128 bits and tag sizes less than 256 bits. As a result, hmac-sha2-512-etm and hmac-sha2-256-etm can be considered the most secure MACs.

...

Host *
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

Key leak protection

The easiest way to gain control over SSH connection is to capture keys on the client or server side. The recommendations are reduced to following the standard rules for maintaining system security:

...

To protect the keys, choose a strong password to access the client key files. When generating a key to increase the number of hashing iterations, you can use the option "ssh-keygen -o -a number", which will complicate the selection of a password. You can also save the keys only on external media, connecting it only during an SSH connection.

User Restriction

Addi the AllowUsers parameter, which is not in the default configuration file. This parameter allows SSH access to the server only for the listed users.

...

AllowUsers dmitry support 

Limiting interfaces

These strings are for configuring distinctions by network interfaces, network address or computer name. By default, the server "listens" (accepts connections) on all network interfaces. If you need to leave the connection only through certain interfaces, then uncomment the line:

...

#ListenAddress 0.0.0.0

Changing the port

If there is a possibility of brute force attack attempts (for example, a server on a public network), you can change the port to another one.

...