-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TCPKeepAlive no or yes? #120
Comments
Thanks for bringing that to my attention, @rilindo. You're quite right. It seems that there's no actual exploitable vulnerability with TCPKeepAlive(1) -- yet. But let's fix this. After a bit of reading this morning (thanks again), I've found:
vs
(Ref: man page for ssh_config) It appears much more appropriate for Lynis to:
@mboelen @kboratynski -- sound good? (2) http://unix.stackexchange.com/questions/34004/how-does-tcp-keepalive-work-in-ssh |
For the TCPKeepAlive, that worked. Yay! Thank you! For ServerAliveInterval, not so much:
And I did confirm that it is set:
|
Thanks @rilindo. I've added the missing value. Does it now work for you? |
It appears that lynis is look for the ServerAliveInterval parameter in /etc/ssh/sshd_config. ServerAliveInterval is actually a parameter that is set in /etc/ssh/ssh_config (which I confirmed in the man pages). |
@mboelen new PR for you ;-) I've just arrived at work so I'm about to give this a spin here too. |
@mboelen - pretty sure these have been addressed. OK to close I reckon. |
I see that Lynis is flagging TCPKeepAlive if is set to no:
[17:44:59] Test: Checking TCPKeepAlive in /etc/ssh/sshd_config
[17:44:59] Result: Option TCPKeepAlive found in /etc/ssh/sshd_config
[17:44:59] Result: Option TCPKeepAlive value is NO
[17:44:59] Result: SSH option TCPKeepAlive is in a weak configuruation state and should be fixed
[17:44:59] Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (NO --> YES)] [solution:-]
Why would we want to turn it on? TCPKeepAlive apparently has spoofing issues, so it is recommend that be turn off:
https://drupal.star.bnl.gov/STAR/comp/sofi/facility-access/ssh-stable-con
The text was updated successfully, but these errors were encountered: