I would like to only allow the following:

Protocols- TLS 1.2 and TLS 1.3

Ciphers- AES-128-GCm, AES-256-GCM and the Cha-Cha ciphers

Hashes/Mac - Sha256, Sha384 and Sha512

Key Exchange - I have never been able to find out if all three are still required as there is not much information on this. Lots of websites discuss what Protocols, Ciphers and Hashes to disable, but almost none explain which key exchanges are considered insecure or obsolete! I presume that Diffie-Helman, PKCS and ECDH key exchanges are all required?

The system being hardened is going to be used a external firewall between a mail server and the Internet. The Mail Server is a separate server behind this Linux Firewall.

So the main things that will be used is IPTables, SSH and Openvpn. There will be no gui system or x system like Gnome etc installed. Entirely command based only.

Ciphers

I believe that I need to edit the sshd_config file and put in the following.

Hashes

I believe that I need to edit the sshd_config file and put in the following.

Note: I don't know the difference between umac and hmac but I believe that umac is considered secure? I have only allowed macs that support -etm. I presume that this won't break functionality?

Key Exchange

I believe that I need to edit the sshd_config file and put in the following.

Protocols

I understand that SSH does not use TLS. So I am already sorted with Putty to remote into Slackware. I am also going to see if I can configure firewall to only allow SSH access via VPN connection and block SSH access from Internet itself. So SSH is sorted.

However Openvpn does use TLS. While I have already restricted Openvpn Config to only accept TLS 1.3 connections, I presume that older protocols are still enabled in Slackware.

IPtables - does IPTables use protocols from the operating system? In short, I can't really find any information on how to only allow TLS 1.2 and TLS 1.3 on any Linux distro. Every article talks about Apache and Nginx which is not relevant here. I just want the firewall to effectively drop any obsolete and insecure protocols like SSL3, TLS 1.0 etc.

My three main questions are as follows:

1. How to disable Obsolete Protocols on distro.
   
2. Are my list of ciphers, keys and hashes correct? I have removed CTR ciphers and non etm hashes. Still unclear about Diffie-Hellman, PKCS key exchanges. Should only ECDH curve key exchanges be enabled?
   
3. How to prevent Slackware updates overwriting my settings. When Slackware is updated, it very often overwrites the sshd_config file. I want any new settings to be applied when updating Slackware, without losing these settings. Is there another way to restrict ciphers etc without having to re-add this information every time the file is updated?

This is better done at the application level. There are convoluted ways to do that at the firewall level (one example here), but they are pretty hideous hacks. And while that may be enough to filter on TLS protocol versions, you won’t be able to filter on precise algorithms anyway.

There is no centralized settings for that. It has to be done for each server application you’re using: sshd has its own configuration, openvpn has its own configuration, your web server (if any) has its own configuration, etc.

It depends on a lot of things and there’s probably no single answer for every server application.

For example, for a SSH server, it is generally fine to have a very restricted list of algorithms, because there will typically be very few people needing to connect to that server (maybe only yourself) and you may be able to know which algorithms they support on their side. Likewise for OpenVPN.

But for a web or mail server, it might be worth it to enable a larger selection of algorithms to avoid excluding some clients.

Mozilla has some interesting guidelines on the topic, at least for a web server.

That is not supposed to happen. The updated package should provide a /etc/ssh/sshd_config.new file, and only if that file is identical to the existing /etc/ssh/sshd should it be moved at that location. When did you observe that?

2 members found this post helpful.

Sorry to take so long to get back to you. I spent this weekend setting up the new Slackware System and then working on Iptables to create the Linux Firewall System that the Mail serve will sit behind. A much bigger job than expected getting the Iptables working as desired.

You are correct that slackware creates a new file and I have to explicitly confirm to overwrite the file. What I actually meant was that to add new changes to sshd_config whilst retaining the old settings, I would have to either copy the settings in the old file to the new file or copy the new settings in the new file to the old file. It would be nice to allow settings created by end users to be automatically transferred to the new config without copying and pasting.

For the moment, I will be leaving Slackware settings as default. The only services that are actually being used on Slackware, is Iptables, Openvpn and SSH. Openvpn is already restricted to TLS 1.3 and secure keys/ciphers. SSH (and Windows RDP) only works through the VPN, it is not accessible from the Internet. As the VPN and SSH will only be used by me and because my computer already uses only secure ciphers etc there is little value in restricting the ciphers which will have to be updated regularly over the years.

Iptables is just forwarding traffic to the Mail server and other services behind the firewall. All those services and servers are already restricted to using only modern protocols, ciphers and key exchanges etc.

So I have (after doing all my work on my firewall) come to the conclusion that there is probably no security benefit to changing the default distro ciphers, protocols and keys. It would just create unnecessary work updating the list over the years in my user case. Simply updating Slackware, openssl and ssh etc should be sufficient as I have noticed that the latest version of Slackware/SSH has far fewer ciphers, keys, hashes than an older system that hasn't been updated for a while.

So I will close the question as there doesn't seem to be a clear security benefit to updating the ciphers in my user case. However, it is useful to have this information should anyone want to know how to improve Slackware Security on a system where far more services are actually being used.