I've got a CentOS 7 VM running off in the cloud. It exposes SSH on port 22 to the world. I've thought about moving it to an alternate port, and may someday do so, but in the meantime I've tried to keep up with best practices for sshd configuration.
I recently changed the KexAlgorithms setting, removing all key-exchange algorithms based on NIST curves. (Google variants of "ed25519 nist ssh ecdh" for my reasoning.) Anyway, the new setting: KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 All of my machines (MacOS 10.12, CentOS 6, CentOS 7) can work with this setting, so I don't have to worry about infinite backward compatibility. One interesting and unintended result of this change is that many SSH scanners will fail while trying to negotiate a key exchange. The log entries are short and sweet: sshd[18200]: fatal: Unable to negotiate a key exchange method [preauth] The number of scanners that even get through to the stage of 'Invalid user' has dropped from a couple hundred per day to less than a dozen. Everyone's situation is different, of course, and this alteration may not work in your environment -- but you may find it worthwhile raising the bar on the KexAlgorithm, Ciphers, and MACs in your sshd_config, especially if your SSH daemon is exposed to the world at large. -- Paul Heinlein <> [email protected] <> http://www.madboa.com/ _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
