Where possible, the Virtual Application Installation (OVF) has a default hardened configuration. Users can verify that their configuration is appropriately hardened by examining the server and client service in the global options section of the configuration file.

If possible, restrict use of the SSH server to a management subnet in the /etc/hosts.allow file.

1

Open the /etc/ssh/sshd_config server configuration file and verify that the settings are correct.

Setting

Status

Server Daemon Protocol

Protocol 2

Ciphers

Ciphers aes256-ctr,aes128-ctr

TCP Forwarding

AllowTCPForwarding no

Server Gateway Ports

Gateway Ports no

X11 Forwarding

X11Forwarding no

SSH Service

Use the AllowGroups field and specify a group permitted to access and add members to the secondary group for users permitted to ue the service.

GSSAPI Authentication

GSSAPIAuthentication no, if unused

Kerberos Authentication

KerberosAuthentication no, if unused

Local Variables (AcceptEnv global option)

Set to disabled by commenting out or enabled for only LC_* or LANG variables

Tunnel Configuration

PermitTunnel no

Network Sessions

MaxSessions 1

Strict Mode Checking

Strict Modes yes

Privilege Separation

UsePrivilegeSeparation yes

rhosts RSA Authentication

RhostsRSAAuthentication no

Compression

Compression delayed or Compression no

Message Authentication code

MACs hmac-sha1

User Access Restriction

PermitUserEnvironment no

2

Save your changes and close the file.