On This Page
Security Improvements and Features
The following essential security best practices are implemented by TufinOS.
Strong Default SSH Ciphers
-
Weak MAC algorithms are disabled
-
Cipher Block Chaining (CBC) encryption in SSH ciphers is disabled
-
Weak RC4 algorithms in SSH ciphers are disabled
Strong Default SSH KexAlgorithms
- Weak sha1 KexAlgorithms is disabled
Enhanced Hardening of Default SSH configuration
We recommend hardening your servers by making changes to the SSH configuration.
-
Block X11 forwarding
-
Force the pre-authentication banner to be file
/etc/banner -
Limit the timeout interval to one hour
-
Block client alive messages from being sent to the SSH client
-
Block agent forwarding
-
Block TCP forwarding
The default SSH configuration in /etc/ssh/sshd_config has been enhanced to use the following default values:
X11Forwarding no
Banner /etc/banner
ClientAliveInterval 3600
ClientAliveCountMax 0
AllowAgentForwarding no
AllowTcpForwarding no
Password Protection
TufinOS user account information is stored in /etc/passwd. Passwords are stored in /etc/shadow. All user password information is encrypted using SHA512 as defined in /etc/login.defs.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague