SSH Hardening on MikroTik L009UiGS-2HaxD

Posted on by

The time has come to update our good old 2011UAS-2HnD-IN with L009UiGS-2HaxD.

SSH Hardening

MikroTik L009UiGS-2HaxD comes with RouterOS v7. As of RouterOS v7.7, you can enable support for Ed25519 key exchange as well as disable SHA1 usage with strong crypto.

Enabling strong crypto (which is disabled by default) does the following:

  1. Prefers 256 and 192 bit encryption instead of 128 bits.
  2. Disables null encryption.
  3. Prefers sha256 for hashing instead of sha1.
  4. Disables md5.
  5. Uses 2048bit prime for Diffie Hellman exchange instead of 1024bit.

SSH into the router and run the following command:

/ip ssh set allow-none-crypto=no host-key-size=4096 host-key-type=ed25519 strong-crypto=yes

Generate new and replace current set of private keys on the router:

/ip/ssh/regenerate-host-key

Use ssh-audit to verify:

$ ./ssh-audit.py mikrotik.hl.test
# general
(gen) banner: SSH-2.0-ROSSSH
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2020.79+
(gen) compression: disabled

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                            `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
                                                      `- [info] available since OpenSSH 4.4
(kex) ext-info-s                            -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions

# host-key algorithms
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79

# encryption algorithms (ciphers)
(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected]                -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode
                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

# fingerprints
(fin) ssh-ed25519: SHA256:OdM8KZKPh0BM0N1iQiSZZgeIkNPHodPfgWoS6tkb7JI

Leave a Reply

Your email address will not be published. Required fields are marked *