Category Archives: System Administration

Common Criteria SSH – restrict ciphers, key exchange method and drop SSH packets within certain range

1. Open ssh_config / sshd_config  – the first file is the configuration file for the client, the second is for the  daemon (SSH server).

2. Uncomment Ciphers section and leave it as:

Ciphers  aes128-cbc,aes256-cbc

This will ensure that only aes128 and aes256-cbc ciphers will be used.

3. Add the following line:

KexAlgorithms diffie-hellman-group14-sha1

This will ensure that this will be the only supported key exchange method.

4. To drop SSH packets with certain size you can always use the good old iptables:

iptables -A INPUT -p tcp -m length --length 1400:1500 --dport 22 -j DROP

This will drop all incoming packets with size between 1400 and 1500 for port 22 (the SSH port).

How to install sysstat (sar) for performance statistics ?

apt-get update; apt-get install sysstat

The sysstat package contains several utilities for monitoring system performance. To enable performance data collection edit
/etc/default/sysstat
set
ENABLED="true"
restart sysstat
/etc/init.d/sysstat restart. If necessary edit the cronjob which will collect the statistics and make sure to setup a logrotate entry in order to avoid large logs.