• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 131
  • Last Modified:

redhat SFTP protocols

We have an SFTP setup and have a client that wants to know what protocols/hashing algos/encryption we allow.  I found this info, I'm not sure if this is good... should any of these be disabled?  Any insight would be helpful.

Thanks!

[root@clientsftp ~]# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[root@clientsftp ~]# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
[root@clientsftp ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

Open in new window

0
Xetroximyn
Asked:
Xetroximyn
  • 2
  • 2
3 Solutions
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This list is fine.

My first question to the client is why they're asking.

Likely there's some hidden question behind this... like they've read some article about one cipher being faster than another + they have conjured up the idea this has meaning in the nanosecond world of packet flow.

Try prying their real question out of them + likely you'll be able to offer them better assistance accomplishing their end goal.
0
 
arnoldCommented:
Sftp is a component of OpenSSH.

You can use OpenSSL.conf as well as configs sshd_config to restrict/limit the ciphers to more secure ....

Commonly using OpenSSL s_client one can test the......
0
 
XetroximynAuthor Commented:
It's a security questionnaire they apparently send to any company who's which SFTP they use to transfer data.  

External SFTP Questionnaire

1.      Do you assign a unique username for all internal users and all anticipated external users of the SFTP?
2.      Do users have unique passwords or unique authentication keys?
3.      Do you grant folder/document access within the SFTP to only those users with a business need for access?
4.      Do you maintain logs of the SFTP that track user access and activity?
5.      Are transmissions protected by up-to-date SSH encryption?
6.      What SFTP versions are allowed? (e.g., SFTPv6, SFTPv5, etc.)
7.      What hashing algorithms are allowed? (e.g., SHA-256, etc.)
8.      What encryption algorithms are allowed? (e.g., AES-256, etc.)

Thanks for the responses!  Good to know our SFTP server is not using any outdated algos.  I assumed it shouldn't it's a pretty vanilla RHEL 7 SFTP setup with users chrooted.  (i.e. I'd home by default insecure stuff is not enabled... but just wanted to make sure!)

I do have one other question about the logging... as I understand it login attempts are logged, but file access activity is not.  I read a redhat article on how to setup logging... involved having /dev/log inside each users chroot, since they (or their process) can't view outside... my question is, if I did this, would a user be able to see their own log?  would they be able to modify it?  I would hope not...
0
 
arnoldCommented:
Financial or medical.Chroot replicates the environment on a small, individualized scale, commonly the user will not be able to access/view that content, root on the system can
0
 
XetroximynAuthor Commented:
thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now