主机安全-Windows&Linux的SSH安全加固

本文介绍: 信息安全相关 – 建设篇第三章主机安全-Linux的SSH安全加固

第一章传输安全-LDAP协议安全加固
 第二章安全审计-Linux用户命令全审计

本案例仅实测通过CentOS 7.5-7.9系列，其他Linux系列及版本未实测。

1. CentOS版本：7.5 ≤ version ≤ 7.9

ssh -V		# windows openssh查询版本
OpenSSH_for_Windows_8.9p1, LibreSSL 3.4.3

ssh -Q mac	# windows openssh查询mac列表
ssh -Q Ciphers	# windows openssh查询ciphers列表
ssh -Q kex	# windows openssh查询kex列表

# CMD命令
openssl ciphers -V	# windows openssl查询本地支持的ssl密码套件

# PowerShell命令
PS C:UsersAdministrator> Get-TlsCipherSuite			# PowerShell查询Windows系统支持的SSL密码套件
PS C:UsersAdministrator> Get-TlsCipherSuite | ft name	# 按name字段过滤查询

# 存在RC4的响应结果
[root@localhost ~]# openssl s_client -connect X.X.X.X:3389 -cipher RC4
CONNECTED(00000003)
...
...
SSL handshake has read 899 bytes and written 449 bytes	# TCP三次握手的读写字节数, 存在RC4时read的字节 > 0
---
New, TLSv1/SSLv3, Cipher is RC4-SHA		# 存在RC4时, Cipher会显示 RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : RC4-SHA					# 存在RC4时, Cipher会显示 RC4-SHA
    ...
---

# 不存在RC4的响应结果
[root@localhost ~]# openssl s_client -connect X.X.X.X:3389 -cipher RC4
CONNECTED(000002E8)
...
...
SSL handshake has read 0 bytes and written 153 bytes	# TCP三次握手的读写字节数, 不存在RC4时read的字节 = 0
---
New, (NONE), Cipher is (NONE)		# 不存在RC4时, Cipher会显示 NONE
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000				# 不存在RC4时, Cipher会显示 0000
    ...
---

### 查询Windows的SSL密码套件顺序, 更新SSL密码套件, 去除RC4相关套件
gpedit.msc --> 计算机配置 -> 管理模板 -> 网络 -> SSL配置设置 -> SSL密码套件顺序.	# 修改后重启生效
原始数据(未配置)：
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

更新数据：
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

### Windows RDP强制使用 SSL/TLS 协议
gpedit.msc --> 计算机配置 -> 管理模板 -> Windows组件 -> 远程桌面服务 -> 远程桌面会话主机 -> 安全 -> 远程(RDP)连接要求使用指定的安全层: SSL