Maybe it would be good practice to have this by default in the config or not? I know people may use sftp from openssh directly and not proftpd or even not use proftpd at all or no sftp and use the browser file manager in virtualmin (which is excellent) but for those who do, I think it might be a reasonable way to improve security standards.
You should mention your OS and version. The defaults for ProFTPd are different across distros and versions.
We historically don’t alter this (I’ve never logged in via FTP except to test that it works, so I have never paid attention to whether it’s good or not), but we could make the defaults safer by default.
It might also be advisable to remove ecdh nistp256 etc… from openssh main ssh. It has instructions for various distros. But this might be out of scope for a virtualmin install.
We try to do as little as possible, and respect the users OS choice. I feel like the OS vendor is responsible for ssh defaults, and the user is responsible for understanding a little bit about their system. And, ssh is necessary for access to the system, so we probably shouldn’t fiddle with it.
But, ProFTPd is pretty lightly maintained even in the distros that have it in the standard repos, and we have to modify its configuration for anything to work, so we probably should be a bit more proactive about it.
Thanks for this! I’m also running Alma 9.3 & implemented your suggestion. Then I ran it on my SSH port and was able to harden that a bit by following its recommendations. Much appreciated.
It kindly asks if maybe I mean SFTPHostKey even though this is shown as a valid entry on the Proftpd site. I played with it a bit, but, since I leave ftp turned off, my futility didn’t need much more of a workout yesterday.
# Configure the RSA and ECDSA host keys, using the same host key
# files that OpenSSH uses.
#SFTPHostKey /etc/proftpd/ssh_host_ecdsa_key
SFTPHostKey /etc/proftpd/ssh_host_ed25519_key
SFTPHostKey /etc/proftpd/ssh_host_rsa_key
I think these are two separate things. One is the keys used by the server, the other is key types accepted for use. I’d get errors telling me it didn’t have permission to parse the file and then complain about the items in it. At this point it is a personal server and I just use OpenSSH SFTP. That is covered with the recommendations here. www.sshaudit.com/hardening_guides.html#debian_11
Strangely I tried to mimic the settings for proFTP but they didn’t work as I said above.
I mean this is from the 90s. Most likely just legitimate research on cryptography.
But just saying that apart from some funny story from the guy himself (he passed away unfortunately , there is no official specification on the seed value for p256 from the national institute of standards and technology.
But we do know that a NSA employee supplied it.
Hence some scepticism. BUT really no proof of anything.
To get these “ssh audit hardening guide” commands to upgrade you from F to A on ubuntu 22.04, in addition to running the commands given in the hardening guide for ubuntu 22.04, you also have to add this line at the top of your /etc/ssh/sshd_config file: Include /etc/ssh/sshd_config.d/*.conf
To get an A+ ,you have to edit: sudo nano /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
remove from the Ciphers list: chacha20-poly1305@openssh.com,
save the file (ctrl-o enter), and exit (ctrl x).
Restart sshd service: sudo service sshd restart
And run the ssh audit web test again. You’ll see A+ grade.
, there is no official specification on the seed value for p256 from the national institute of standards and technology.
