Very interesting! Thank you for sharing. I will be testing this out.
On 04/10/2017 08:22 AM, Paul Heinlein wrote: > I've got a CentOS 7 VM running off in the cloud. It exposes SSH on > port 22 to the world. I've thought about moving it to an alternate > port, and may someday do so, but in the meantime I've tried to keep up > with best practices for sshd configuration. > > I recently changed the KexAlgorithms setting, removing all > key-exchange algorithms based on NIST curves. (Google variants of > "ed25519 nist ssh ecdh" for my reasoning.) Anyway, the new setting: > > KexAlgorithms > curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 > > All of my machines (MacOS 10.12, CentOS 6, CentOS 7) can work with > this setting, so I don't have to worry about infinite backward > compatibility. > > One interesting and unintended result of this change is that many SSH > scanners will fail while trying to negotiate a key exchange. The log > entries are short and sweet: > > sshd[18200]: fatal: Unable to negotiate a key exchange method [preauth] > > The number of scanners that even get through to the stage of 'Invalid > user' has dropped from a couple hundred per day to less than a dozen. > > Everyone's situation is different, of course, and this alteration may > not work in your environment -- but you may find it worthwhile raising > the bar on the KexAlgorithm, Ciphers, and MACs in your sshd_config, > especially if your SSH daemon is exposed to the world at large. > _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
