mirror of
https://github.com/jtesta/ssh-audit.git
synced 2024-11-16 13:35:39 +01:00
Page:
ArubaOS Switch (AOS S) 16.11
Pages
ArubaOS Switch (AOS S) 16.11
Dropbear 2022.83
Fortinet FortiOS
FreeBSD OpenSSH Hardening Guide ‐ FreeBSD Blog
FreeBSD
Home
Mikrotik RouterOS
OPNsense 20.7 and newer
Proxmox VE 7.3 6
SSH Hardening Guides Index
Synology DSM
Ubuntu 22.04 LTS Client Linux Mint 21 Client
Void Linux
Windows 11
macOS 13 (Ventura) & 14 (Sonoma)
0
ArubaOS Switch (AOS S) 16.11
Mathieu Simon edited this page 2024-02-02 10:19:18 +01:00
ArubaOS Switch or short AOS-S is a network operating system (NOS) used on various switches from Aruba Networks, a subsidiary of HPE. It was formerly known as HP ProVision. Depending on the version of AOS-S not all command may be available, this guide covers AOS-S 16.11.
SSH into a switch running AOS-S, or use a local serial connection in order to apply these options.
1. Re-generate the RSA keys
configure
crypto key generate ssh rsa bits 3072
exit
If the size is omitted, a 2048 Bit RSA key will be generated, 3072 is the largest size supported so far.
2. Restrict supported key exchange, cipher and MAC algorithms
configure
no ip ssh cipher 3des-cbc
no ip ssh cipher aes128-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh mac hmac-md5
no ip ssh mac hmac-md5-96
no ip ssh mac hmac-sha1
no ip ssh mac hmac-sha1-96
no ip ssh kex ecdh-sha2-nistp256
no ip ssh kex ecdh-sha2-nistp384
no ip ssh kex ecdh-sha2-nistp521
no ip ssh kex diffie-hellman-group14-sha1
# Starting with 16.11.0015:
no ip ssh host-key-algorithm x509v3-ssh-rsa
no ip ssh host-key-algorithm ssh-dss
no ip ssh host-key-algorithm ssh-rsa
exit
3. Save the running configuration of the switch to flash
write memory
Limitations
AOS-S 16.11 doesn't allow you reaching a perfect score, here are some reasons:
- Host-key algorithms: AOS-S supports either RSA (up to 3072 Bit) or DSA (up to 1024 Bit) host keys, that's it so far.
- MACs:
hmac-sha2-256
cannot be disabled, as it is the only remaining after disabling all other insecure MACs.
Validated versions
16.11.x | ssh-audit |
---|---|
YA.16.11.0016 | master @ f326d58068c7914ee1af6dbad4a7f67be9d67155 |
YA.16.11.0013 | |
YA.16.11.0008 | |
YA.16.11.0005 |
footer2