TCPKeepAlive no or yes? #120
Comments
|
Thanks for bringing that to my attention, @rilindo. You're quite right. It seems that there's no actual exploitable vulnerability with TCPKeepAlive(1) -- yet. But let's fix this. After a bit of reading this morning (thanks again), I've found:
vs
(Ref: man page for ssh_config) It appears much more appropriate for Lynis to:
@mboelen @kboratynski -- sound good? (2) http://unix.stackexchange.com/questions/34004/how-does-tcp-keepalive-work-in-ssh |
|
For the TCPKeepAlive, that worked. Yay! Thank you! For ServerAliveInterval, not so much:
And I did confirm that it is set:
|
|
Thanks @rilindo. I've added the missing value. Does it now work for you? |
|
It appears that lynis is look for the ServerAliveInterval parameter in /etc/ssh/sshd_config. ServerAliveInterval is actually a parameter that is set in /etc/ssh/ssh_config (which I confirmed in the man pages). |
|
@mboelen new PR for you ;-) I've just arrived at work so I'm about to give this a spin here too. |
|
@mboelen - pretty sure these have been addressed. OK to close I reckon. |
I see that Lynis is flagging TCPKeepAlive if is set to no:
[17:44:59] Test: Checking TCPKeepAlive in /etc/ssh/sshd_config
[17:44:59] Result: Option TCPKeepAlive found in /etc/ssh/sshd_config
[17:44:59] Result: Option TCPKeepAlive value is NO
[17:44:59] Result: SSH option TCPKeepAlive is in a weak configuruation state and should be fixed
[17:44:59] Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (NO --> YES)] [solution:-]
Why would we want to turn it on? TCPKeepAlive apparently has spoofing issues, so it is recommend that be turn off:
https://drupal.star.bnl.gov/STAR/comp/sofi/facility-access/ssh-stable-con
The text was updated successfully, but these errors were encountered: