redhat SFTP protocols

We have an SFTP setup and have a client that wants to know what protocols/hashing algos/encryption we allow.  I found this info, I'm not sure if this is good... should any of these be disabled?  Any insight would be helpful.

Thanks!

[root@clientsftp ~]# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[root@clientsftp ~]# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
[root@clientsftp ~]# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

Open in new window

XetroximynAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This list is fine.

My first question to the client is why they're asking.

Likely there's some hidden question behind this... like they've read some article about one cipher being faster than another + they have conjured up the idea this has meaning in the nanosecond world of packet flow.

Try prying their real question out of them + likely you'll be able to offer them better assistance accomplishing their end goal.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Sftp is a component of OpenSSH.

You can use OpenSSL.conf as well as configs sshd_config to restrict/limit the ciphers to more secure ....

Commonly using OpenSSL s_client one can test the......
0
XetroximynAuthor Commented:
It's a security questionnaire they apparently send to any company who's which SFTP they use to transfer data.  

External SFTP Questionnaire

1.      Do you assign a unique username for all internal users and all anticipated external users of the SFTP?
2.      Do users have unique passwords or unique authentication keys?
3.      Do you grant folder/document access within the SFTP to only those users with a business need for access?
4.      Do you maintain logs of the SFTP that track user access and activity?
5.      Are transmissions protected by up-to-date SSH encryption?
6.      What SFTP versions are allowed? (e.g., SFTPv6, SFTPv5, etc.)
7.      What hashing algorithms are allowed? (e.g., SHA-256, etc.)
8.      What encryption algorithms are allowed? (e.g., AES-256, etc.)

Thanks for the responses!  Good to know our SFTP server is not using any outdated algos.  I assumed it shouldn't it's a pretty vanilla RHEL 7 SFTP setup with users chrooted.  (i.e. I'd home by default insecure stuff is not enabled... but just wanted to make sure!)

I do have one other question about the logging... as I understand it login attempts are logged, but file access activity is not.  I read a redhat article on how to setup logging... involved having /dev/log inside each users chroot, since they (or their process) can't view outside... my question is, if I did this, would a user be able to see their own log?  would they be able to modify it?  I would hope not...
0
arnoldCommented:
Financial or medical.Chroot replicates the environment on a small, individualized scale, commonly the user will not be able to access/view that content, root on the system can
0
XetroximynAuthor Commented:
thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.