elie/ssh-audit
1
0
Fork 0
mirror of https://github.com/jtesta/ssh-audit.git synced 2024-11-16 21:45:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add references, try simplifying

Mathieu Simon 2023-09-12 12:04:05 +02:00
parent 7780fe0314
commit 5d061fc2ca
1 changed files with 43 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
Fortinet-FortiOS.md

@ -4,10 +4,17 @@ SSH into an appliance running FortiOS, or use a local serial connection in order
## FortiOS >= 7.4.1
Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are available.
Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are configurable.
```
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands represent the default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-hostkey-algo ssh-ed25519
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
@ -15,62 +22,50 @@ set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end
```
**Checking the defaults**
**References:**
Unless you have modified the defaults, you don't need to these, but you may still want to check them:
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5
* ``strong-crypto``: Should default to **enabled** since 6.4.5
```
get system global | grep "ssh\|strong-crypto"
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
ssh-hostkey-algo : ssh-ed25519
ssh-kex-algo : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
strong-crypto : enable
```
* [Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.1/cli-reference/1620)
* [Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/1620)
## FortiOS >= 7.0.2 / 7.2.x / 7.4.0
Starting FortiOS 7.0.2 several options have been renamed compared to previous releases.
Starting with FortiOS 7.0.2 ciphers become individually configurable, several options have been renamed compared to previous releases.
```
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands change default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-kex-algo curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end
```
**Checking the defaults**
**References**
Unless you have modified the defaults, you don't need to these, but you may still want to check them:
* ``admin-ssh-v1``: Should default to **disabled** since 6.4.5
* ``strong-crypto``: Should default to **enabled** since 6.4.5
* [Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol](https://docs.fortinet.com/document/fortigate/7.0.0/new-features/765236/enabling-individual-ciphers-in-the-ssh-administrative-access-protocol-7-0-2)
* [Fortinet document library: FortiGate / FortiOS 7.0.2 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/1620)
* [Fortinet document library: FortiGate / FortiOS 7.0.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/1620)
```
get system global | grep "ssh\|strong-crypto"
## FortiOS >= 5.6.0 <= 7.0.1
admin-ssh-grace-time: 120
admin-ssh-password : enable
admin-ssh-port : 22
admin-ssh-v1 : disable
ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
ssh-kex-algo : curve25519-sha256@libssh.org
ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
strong-crypto : enable
```
## FortiOS >= 6.4.5 < 7.0.2
After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**.
Starting with _at least_ FortiOS 5.6.0 ``strong-crypto`` defaults to **enable** and SSHv1 defaults to disabled.
```
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands change default settings
set dh-params 8192
set ssh-cbc-cipher disable
set ssh-hmac-md5 disable
set ssh-kex-sha1 disable
@ -78,8 +73,16 @@ set ssh-mac-weak disable
end
```
**References**
* [Fortinet document library: FortiGate / FortiOS 6.4.0 > Hardening your FortiGate > Building security into FortiOS](http://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/building-security-into-fortios)
* [Fortinet document library: FortiGate / FortiOS 6.2.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
* [Fortinet document library: FortiGate / FortiOS 6.0.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103)
* [Fortinet document library: FortiGate / FortiOS 5.6.0 > Hardening your FortiGate](https://docs.fortinet.com/document/fortigate/5.6.0/hardening-your-fortigate/995103)
## Limitations
In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons:
In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:
* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.
* Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
* Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.