I would like to only allow the following:
Protocols- TLS 1.2 and TLS 1.3
Ciphers- AES-128-GCm, AES-256-GCM and the Cha-Cha ciphers
Hashes/Mac - Sha256, Sha384 and Sha512
Key Exchange - I have never been able to find out if all three are still required as there is not much information on this. Lots of websites discuss what Protocols, Ciphers and Hashes to disable, but almost none explain which key exchanges are considered insecure or obsolete! I presume that Diffie-Helman, PKCS and ECDH key exchanges are all required?
The system being hardened is going to be used a external firewall between a mail server and the Internet. The Mail Server is a separate server behind this Linux Firewall.
So the main things that will be used is IPTables, SSH and Openvpn. There will be no gui system or x system like Gnome etc installed. Entirely command based only.
Ciphers
I believe that I need to edit the sshd_config file and put in the following.
Code:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
Hashes
I believe that I need to edit the sshd_config file and put in the following.
Code:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Note: I don't know the difference between umac and hmac but I believe that umac is considered secure? I have only allowed macs that support -etm. I presume that this won't break functionality?
Key Exchange
I believe that I need to edit the sshd_config file and put in the following.
Code:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Protocols
I understand that SSH does not use TLS. So I am already sorted with Putty to remote into Slackware. I am also going to see if I can configure firewall to only allow SSH access via VPN connection and block SSH access from Internet itself. So SSH is sorted.
However Openvpn does use TLS. While I have already restricted Openvpn Config to only accept TLS 1.3 connections, I presume that older protocols are still enabled in Slackware.
IPtables - does IPTables use protocols from the operating system? In short, I can't really find any information on how to only allow TLS 1.2 and TLS 1.3 on any Linux distro. Every article talks about Apache and Nginx which is not relevant here. I just want the firewall to effectively drop any obsolete and insecure protocols like SSL3, TLS 1.0 etc.
My three main questions are as follows:
- How to disable Obsolete Protocols on distro.
- Are my list of ciphers, keys and hashes correct? I have removed CTR ciphers and non etm hashes. Still unclear about Diffie-Hellman, PKCS key exchanges. Should only ECDH curve key exchanges be enabled?
- How to prevent Slackware updates overwriting my settings. When Slackware is updated, it very often overwrites the sshd_config file. I want any new settings to be applied when updating Slackware, without losing these settings. Is there another way to restrict ciphers etc without having to re-add this information every time the file is updated?