SecureCRT Security Settings — Configure for Maximum Safety
1) Use SSH2 only
- In Session/Global Options → Protocol, select SSH2 (disable SSH1/Telnet).
2) Strong host-key and server validation
- Enable Verify host key prompts and store host keys.
- Compare first-time host keys out-of-band (admin portal, fingerprint over secure channel).
- Remove/replace stale host keys in Global Options → SSH2 → Known Hosts.
3) Strong ciphers, KEX, and MACs
- In Session Options → SSH2 → Encryption / Kex / Mac, prefer modern algorithms:
- Ciphers: AES-256-CTR, AES-256-GCM, ChaCha20-Poly1305 (if available)
- KEX: diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp384 or stronger
- MACs: hmac-sha2-512, hmac-sha2-256, [email protected]
- Enable FIPS mode only if required by policy (Global Options → General or SSH2).
4) Public-key authentication (preferred)
- Generate strong keys (Ed25519 or RSA ≥ 3072 / RSA 4096 if required).
- Protect private keys with a passphrase and store them securely (use OS-protected folder).
- In Session Options → SSH2 → Authentication, enable PublicKey and set the identity file (.ppk or OpenSSH format).
- Upload public keys to servers via secure channels. Use certificate-based or smartcard (PKCS#11/CAPI) where available.
5) Use an SSH agent and limit forwarding
- Use an agent (Pageant/ssh-agent) to avoid typing private key passphrases repeatedly.
- Disable Agent forwarding unless explicitly needed; if used, restrict via server-side controls.
6) Two-factor and smartcard support
- Configure smartcard / PKCS#11 (Global Options → SSH2 → Public Key → use certificate or PKCS#11 DLL).
- Prefer 2FA (smartcard or hardware token) when supported by your server.
7) Session hardening & defaults
- Edit the Default Session: enforce chosen auth order (PublicKey → Keyboard-Interactive → Password), disable weaker auths.
- Disable password authentication where possible (server-side) and remove Password from client auth list.
- Disable compression unless required (can expose timing side channels).
8) Logging, timeout, and idle controls
- Set Keepalives or server-side idle disconnects to prevent stale sessions (Session Options → Terminal/Connection).
- Enable activity logging securely and rotate logs; avoid logging sensitive passphrases.
9) Secure file and key handling
- Use secure SFTP or SCP via SSH2 for file transfers.
- Keep private keys off shared/network drives; use OS file permissions to restrict access.
- Regularly rotate keys and remove public keys for revoked users.
10) GUI and scripting safety
- When using scripts, store credentials in protected keystores or use agent-based auth; never hard-code passwords in scripts.
- Review scripts for command injection risks before running against production systems.
Quick checklist (apply to Global Default + per-session)
- SSH2 only
- Host key verification enabled
- Public-key auth prioritized; passwords disabled
- Strong ciphers/KEX/MACs selected
- Private keys passphrase-protected and stored securely
- Agent forwarding disabled unless required
- Smartcard/2FA enabled where available
- Idle timeout and logging configured
- No credentials hard-coded in scripts
If you want, I can produce exact menu-click steps for Windows/macOS/Linux SecureCRT or export a hardened Default Session configuration.
Leave a Reply