Originally published at: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Good article, thanks for putting this together.
One small point though, in section 20 you mention using “ssh -Q” for what should be “…list of ciphers and algorithms supported…” but that ssh command will only show you the ciphers & algorithms supported by the SSH client, not the server. In order to see what the server is currently configured to use, you are better to run the following:
sshd -T | grep "\(ciphers\|macs\)"
It can be harder to then recommend what should be removed and allowed, as the security of ciphers and macs change as new vulnerabilities are found. That said, currently (early 2018) some reasonable ciphers and macs to use are:
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
(key thing above is to make sure nothing contains: cbc, md5, 96, arcfour, des)
And if you want to make the above list even stronger, you can remove anything using sha1.
As with any changes you make, always ensure you do thorough testing from all clients first, as you don’t want to disable a cipher or mac that is relied on from an older client that doesn’t support new ciphers. (and then go back to upgrade those clients )
Thanks for suggestion. I will look into it and update the page.