DNS/DHCP Server SSH hardening - BlueCat Integrity

DNS/DHCP Server SSH hardening - BlueCat Integrity - 26.1.0

Address Manager Administration Guide

ft:locale

en-US

Product name

BlueCat Integrity

Version

26.1.0

DNS/DHCP Server v26.1.0 contains a script for SSH hardening that can be accessed by root users from the console. The harden_ssh.sh script disables the use of legacy or less preferred MAC, key exchange, and host key algorithms, and restricts accepted ciphers. For information on the SSH hardening script available on Address Manager servers, refer to Address Manager SSH hardening.

Attention: The hardening script must be run manually on all DNS/DHCP Servers that users wish to harden SSH on. SSH is not hardened by default.

SSH hardening

SSH hardening levels

Level 1 hardening disables the use of the following algorithm sets:

MACs: hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com
Key exchange algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Host key algorithms: ecdsa-sha2-nistp256,ssh-rsa

Level 1 hardening also restricts accepted ciphers to the following:

Ciphers: aes128-ctr,aes192-ctr,aes256-ctr

Level 2 hardening disables the use of the following algorithm sets:

MACs: hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com,umac-128-etm@openssh.com
Key exchange algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 (same as level 1)
Host key algorithms: ecdsa-sha2-nistp256,ssh-rsa (same as level 1)

Level 2 hardening also restricts accepted ciphers to the following:

Ciphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

To harden SSH on a DNS/DHCP Server:

Login to the DNS/DHCP Server Administration Console as root.
Note: For more information on root credentials, refer to Setting the root password.
Locate the harden_ssh.sh script. The script is found in the following location on DNS/DHCP Server appliances:
```
/usr/local/bluecat/harden_ssh.sh
```

From the /usr/local/bluecat folder, run

./harden_ssh.sh
                1

to apply level 1 SSH hardening, or run ./harden_ssh.sh 2 to apply level 2 SSH hardening.

$ ./harden_ssh.sh [1|2]

*** WARNING ***
Running this script results in a restart of the SSH daemon.
Any active SSH connections will be terminated!

Reconnect via SSH after completion of this script to verify
that the contents of the following files are uncommented:
- /etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
- /etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf

Do you want to proceed? (y/n)

Warning: Running the script will terminate all active SSH sessions.

Enter y to run the script. If you are connected remotely via SSH, your session will terminate.

If you were connected via SSH, re-establish connection to the DNS/DHCP Server. Verify that the configuration entries in the following files are uncommented (active):
```
/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
/etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf
```

Weakening SSH (reverting Hardened SSH changes)

The SSH hardening changes can be easily reversed by performing the process detailed above with the weaken_ssh.sh script. The script is found in the following location on DNS/DHCP Server appliances:

/usr/local/bluecat/weaken_ssh.sh

In the same manner as above, you will be prompted with a warning before proceeding. Enter y to run the script, re-establish connection to the console if necessary, then verify that the configuration entries in the following files are commented out (inactive):

/etc/ssh/sshd_config.d/bluecat_hardened_ssh.conf
/etc/ssh/ssh_config.d/bluecat_hardened_ssh.conf