2. Securing openssh

I don't think I have to elabrorate on the fact that securing ssh is a must. New in PCI 3.0 is to disable all DSA hostkeys, stength your RSA hostkey (minum of 2048bit key is a must) and disable all unwanted Ciphers in openssh.


In your /etc/ssh/sshd_config file, add the following to disable all unwanted Ciphers:


# Ciphers

Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour128,arcfour256,arcfour

this will also disable the use off CBC and CTR Ciphers (requirment for PCI 3.0)

Make sure to ajust your ssh clients as well.

Update PCI 2016: To stay compliant with PCI DSS 3.1 the following ciphers have been removed “arcfour128,arcfour256,arcfour”. The ciphers configuration of your sshd configuration should look like this:



# Ciphers

Ciphers aes256-ctr,aes192-ctr,aes128-ctr

DSA Hostkeys

vi  /etc/ssh/sshd_config

Comment out the line

HostKey /etc/ssh/ssh_host_dsa_key

Delete the DSA key pairs



restart ssh service

Creating strong RSA hostkeys

ssh-keygen -t rsa -b 4096 -a 500

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_rsa_key already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /etc/ssh/ssh_host_rsa_key.

Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.

The key fingerprint is:

67:34:4f:75:04:d4:b0:d1:fa:ec:56:81:03:08:7b:14 This email address is being protected from spambots. You need JavaScript enabled to view it.

The key's randomart image is:

+--[ RSA 4096]----+

|       ..Eo  .**o|

|        o. . . +o|

|       . .o o o. |

|        .. + o.. |

|        S o . .o.|

|         o      +|

|               ..|

|                o|

|               . |