Оглавление |
---|
General instructions
To ensure the necessary system security settings, it is recommended to perform the following steps:
Disable root access to the server
Unlike other Linux distributions, the root account is disabled in Ubuntu by default. If root is still enabled, disable it with the command:
Без форматирования |
---|
sudo passwd -l root |
Enable SSH key access only
In /etc/ssh/sshd_config:
Без форматирования |
---|
PasswordAuthentication no ChallengeResponseAuthentication no |
Use secure rsa -b 4096 keys
Без форматирования |
---|
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key sudo ssh-keygen -o -a 100 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key |
Automatic password generation for SIP users
...
The ECSS-10 system has the ability to generate passwords that meet the recommended security requirements when creating SIP subscribers.
...
Без форматирования |
---|
admin@mycelium1@ecss1:/$ domain/biysk.local/sip/user/info loc.gr 240800@biysk.local 1 make users list ... [**********************************************************************] 19mks 1 users information read ... [**********************************************************************] 14ms Executed on the sip1@ecss1 ┌─────────────────────┬─────────────────────────────────────────────┐ │ User │ 240800@biysk.local │ ├─────────────────────┼─────────────────────────────────────────────┤ │internal iface name │062bc20adc06e101 │ │isActive │false │ │group │loc.gr │ │authentication │sip3854240800:uc7cXcnuyunu (ds) use qop: true│ ... |
Change passwords to secure
After installing the ECSS, the admin user with the standard password password is automatically created by default to access CLI and web configurator.
...
Без форматирования |
---|
sudo dpkg-reconfigure ecss-mysql |
Use SBC, configure firewall, ACL
It is recommended to configure your firewall so that Restfs is accessible only from the server itself and is not accessible externally.
If the server or SBC has direct access to the Internet or a corporate network, where various attempts of unauthorized requests or DDoS attacks are possible, configure a list of allowed IP or subnets from which access to certain ports is allowed. For the rest, access should be prohibited. If the complex has SBC, then it has already implemented the necessary functionality to protect against external attacks — a dynamic firewall with a mechanism for recognizing attacks and unauthorized access attempts. In SBC, you can also configure black/white lists of subnets for both management and SIP access.
Update Ubuntu and server utilities when a security pack is released
It is recommended to perform periodic system updates, especially when releasing fresh versions of packages that improve security functionality.
Configuring OpenSSH Security
The openssh-client openssh-server packages or the ssh meta-package including the client and server must be installed on the ECSS servers.
Configuring SSH server and client
OpenSSH server configuration is described in the /etc/ssh/sshd_config file. For more complete security, change some of the default settings.
...
In OpenSSH 7.0 and older, SSH 1.0 protocol support is disabled by default at compile time. Similarly, support for 1024-bit diffie-hellman-group1-sha1
keys, ssh-dss, ssh-dss-cert-*
hosts and user keys is no longer activated during compilation by default. The v00 certificate format is not supported, and the PermitRootLogin
option has changed the default value from yes to prohibit-password
.
Key Exchange
To use only trustworthy key exchange protocols in /etc/ssh/sshd_config for the server, specify:
...
Без форматирования |
---|
Host * KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha25 |
Authentication
SSH supports four public key authentication algorithms: DSA, ECDSA, Ed25519 and RSA.
...
Без форматирования |
---|
sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key sudo ssh-keygen -o -a 100 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key |
Symmetric ciphers
Of the 15 symmetric encryption algorithms supported in SSH to organize the protection of the established communication channel, chacha20-poly1305, aes*-ctr and aes*-gcm can be considered secure. The 3des-cbc and arcfour ciphers are potentially vulnerable due to the use of DES and RC4, and cast128-cbc uses too short block size (64 bits).
...
Без форматирования |
---|
Host * Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
Message Authenticity Code (MAC)
For ciphers in CTR mode, to guarantee the integrity of the transmitted blocks, only the Encrypt-then-MAC method is trusted ("*-etm", MAC is added to the already encrypted block). The MAC-then-encrypt and Encrypt-and-MAC methods are potentially susceptible to attacks. Of the 18 MAC algorithms available in SSH, you should immediately discard those based on MD5 and SHA1 hashes that are not resistant to detecting collisions, as well as algorithms using key sizes less than 128 bits and tag sizes less than 256 bits. As a result, hmac-sha2-512-etm and hmac-sha2-256-etm can be considered the most secure MACs.
...
Без форматирования |
---|
Host * MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com |
Key leak protection
The easiest way to gain control over SSH connection is to capture keys on the client or server side. The recommendations are reduced to following the standard rules for maintaining system security:
...
To protect the keys, choose a strong password to access the client key files. When generating a key to increase the number of hashing iterations, you can use the option "ssh-keygen -o -a number", which will complicate the selection of a password. You can also save the keys only on external media, connecting it only during an SSH connection.
User Restriction
Addi the AllowUsers parameter, which is not in the default configuration file. This parameter allows SSH access to the server only for the listed users.
...
Без форматирования |
---|
AllowUsers dmitry support |
Limiting interfaces
These strings are for configuring distinctions by network interfaces, network address or computer name. By default, the server "listens" (accepts connections) on all network interfaces. If you need to leave the connection only through certain interfaces, then uncomment the line:
...
Блок кода |
---|
#ListenAddress 0.0.0.0 |
Changing the port
If there is a possibility of brute force attack attempts (for example, a server on a public network), you can change the port to another one.
...