From f9321059192ec4ed43d50f3b869ed94d1abf634d Mon Sep 17 00:00:00 2001 From: Mathieu Simon Date: Wed, 7 Jun 2023 09:26:55 +0200 Subject: [PATCH] Drop 20.1.2+ as it has been out of support for quite some time and it required applying patches --- ...and-newer.md => OPNsense-20.7-and-newer.md | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) rename OPNsense-20.1.2-and-newer.md => OPNsense-20.7-and-newer.md (73%) diff --git a/OPNsense-20.1.2-and-newer.md b/OPNsense-20.7-and-newer.md similarity index 73% rename from OPNsense-20.1.2-and-newer.md rename to OPNsense-20.7-and-newer.md index 5ada422..eab0e6e 100644 --- a/OPNsense-20.1.2-and-newer.md +++ b/OPNsense-20.7-and-newer.md @@ -4,7 +4,7 @@ https://opnsense.org | https://github.com/opnsense > OPNsense is an open source, easy-to-use and easy-to-build HardenedBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. -# SSH hardening guide for OPNsense 20.1.2 and newer +# SSH hardening guide for OPNsense 20.7 and newer Some of the SSH hardening recommendations from https://www.ssh-audit.com/hardening_guides.html can be set directly on the OPNsense web interface via the `System -> Settings -> Administration -> Secure Shell` form. @@ -22,29 +22,15 @@ As of 2020-06-01, you can tune the following SSH settings: ![OPNsense SSH settings](https://i.imgur.com/nz3AUKb.png) -OPNsense has included the basic SSH options on its web interface from the beginning, but you could not tune the SSH algorithms recommended by the `ssh-audit` tool easily. Various hacky solutions existed that involved modifying automatically generated core files or the original template files that might get lost over an upgrade. +OPNsense has included the basic SSH options on its web interface from the beginning, but you could not tune the SSH algorithms recommended by the `ssh-audit` tool easily. Previously various hacky solutions existed that involved modifying automatically generated core files or the original template files that might get lost over an upgrade. -Since OPNsense 20.1.2, you can tune the algorithms used by SSH directly in the web admin: -- Starting from OPNsense 20.1.2 but not including 20.7 and newer, you need to apply a couple of official OPNsense patches _(see below)_ -- For OPNsense 20.7 and newer, these settings will be included in the core by default. The settings were implemented in https://github.com/opnsense/core/issues/3975 and are added to the 20.7 milestone to be released soon. +Since OPNsense 20.7, you can tune the algorithms used by SSH directly in the web admin. The settings have been implemented in https://github.com/opnsense/core/issues/3975 The provided SSH algorithm selectors on the form are still not the final solution as the selected algorithms' applied order in the generated configuration is defined by their display order on the form (a limitation of the current UI kit). However, for an advanced user, these provide the possibility to select only the most hardened options as to their liking. OPNsense is probably not used as a jump-host by many users - if an administrator can connect with latest `openssh` release over the hardest supported algorithms, it should be fine. -## OPNsense 20.1.2+ (until 20.7) - -Until the new SSH algorithm settings are released in OPNsense 20.7, users can enable them by running these commands on their OPNsense box/vm: - -```bash -opnsense-patch 5df590c -opnsense-patch 1165119 -service configd restart -``` - -As there is no ordering among the chosen algorithms, advanced users that tune these settings should pick their choices to be the most hard that their SSH clients support. - ## OPNsense 20.7+ -The new algorithm settings will be released with OPNsense 20.7 according to the above Github issue. If you have OPNsense 20.7 or newer, these settings should be available for you on the web interface out of the box. +If you have OPNsense 20.7 or newer, these settings should be available for you on the web interface out of the box. ## How to choose algoritms?