SSH Server Hardening Guide v2

CaffeineFueled

2023/11/22

This is an updated version from last year. Thank you for the great feedback!


This article covers mainly the configuration of the SSH service and only references ways to protect the service on the host machine or via policies.

I’ll use Linux with an SSH server as a reference (OpenBSD Secure Shell server according to systemd).


Important: Please test the configuration changes in a test environment or a single user or group to limit the lockout risk!

Additionally, DO NOT copy any configuration mindlessly! - Some configuration changes are just recommendations and work in most cases, but make sure those work for your system, too.

SSH Server Configuration #

The following configurations can be changed in the /etc/ssh/sshd_config file or in a separate configuration file that can be created in a subdirectory /etc/ssh/sshd_config.d/*.conf.

Side note: It is recommended to create a separate configuration file as the default file is at risk of getting overwritten with a future software update. Just make sure that the default configuration file references the subdirectory with Include /etc/ssh/sshd_config.d/*.conf.

That said, you can check the configuration file with sudo sshd -t; no output means that it is okay, and errors will be displayed if someone is not working out, like in the following example:

$ sudo sshd -t
/etc/ssh/sshd_config: line 49: Bad configuration option: DebianBanner
/etc/ssh/sshd_config: terminating, 1 bad configuration options

Use sudo sshd -T for a more verbose output, which additionally displays all the options that are used.

Almost every config file change requires a restart of the SSH server service.

Public key authentication #

You can find a guide on how to use public key authentication in this linked article. I highly recommend securing your server with public key authentication instead of password authentication.

After enabling it, make sure to turn off password authentification:

PasswordAuthentication no

It requires some configuration on the server and client, but it is worth it as it is one of the best ways to protect your server.

Changing the ssh port #

Port 2222

Change the default SSH port 22 of your host to something else. Some people think it is a must; some think it is useless. There is no perfect answer, but I hope the following list of pros and cons will help you to decide:

Pros:

Cons:

Side note: choosing a port below 1024 (system or well-known port) is recommended to make it more difficult for an unprivileged user to highjack the service, as by default, non-root processes can only open ports above 1023. Just make sure to avoid conflicts with already used ports.

Disable root login #

PermitRootLogin no

Prohibits connecting as root as it is recommended to work with a separate user with optional sudo permissions.

I’ve got some feedback that it is unnecessary to disable this since users with sudo permissions could do the same damage, but I disagree. Most - if not all - systems have a root user, and this is known, which makes it easy to run brute-force or dictionary attacks against the system. Most attackers don’t know the available users on a system, which makes the username a kind of password.

Disable login attempts with empty passwords #

PermitEmptyPasswords no

It is fairly self-explanatory, but to make sure, allowing any account without a password to log into the system is a big no-no and should be turned off immediately.

Disable SSHv1 and use SSHv2 #

Protocol 2

SSHv2 is usually the default, but it is worth ensuring SSHv1 is disabled.

There are multiple ways to check if SSHv1 is still enabled, and I show you some. The following commands can be done remotely or on the server with localhost as destination:

ssh -1 remoteuser@remoteserver
SSH protocol v.1 is no longer supported

or with a verbose output like this:

ssh -v remoteuser@remoteserver
[...]
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 
[...]

or netcat:

echo ~ | nc remoteserver 22
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3

Important: If you see SSH-1.99 as version, it means that SSHv1 is enabled and it should be disabled!

Restrict access to specific users or/and groups #

AllowUsers a_this a_that

AllowGroups ssh_login

This option is pretty straightforward and limits the users or groups that can access the server via SSH.

Restrict access to specific IP or network #

AllowUsers *@10.10.10.10 # affects all users

AllowUsers provider-a@111.111.111.111 provider-b@222.222.222.222

AllowUsers internal-user@10.10.0.0/16

You can further limit the access to specific IPs or networks.

Restrict access to specific interfaces #

ListenAddress 10.10.10.10

Most servers have multiple interfaces. If the server has one interface for the internal network and one for the internet, and you don’t need to reach the server over the internet, it is recommended to make the SSH server listen only to the internal IP. The default is 0.0.0.0, which allows the service to listen to all interfaces.

Set an authentication timer #

LoginGraceTime 20

The authentication must happen in 20 seconds before the connection gets closed. The default is 2 minutes. It helps to prevent specific denial-of-service attacks where authentication sessions are kept open for a period of time and prevent valid authentications.

Side note: make sure that this limit works for you. This limit won’t be a problem for Public Key Authentication, but if you have to wait for mail to arrive with the MFA token, 20 seconds might be too short.

Limit maximum number of attempted authentications #

MaxAuthTries 3

The default is 6, and lowering it makes it a little bit more difficult to brute-force a password since the server drops the unauthenticated connection after 3 failed attempts.

Side note: Every SSH key loaded into the ssh-agent counts as one attempt each. Keep this in mind if you have a bunch of keys loaded! Additionally, if the Kerberos/GSSAPI authentication method is enabled, the look-up of whether the client is authenticated counts as one attempt.

Limit the number of concurrent unauthenticated connections #

MaxStartups 10:30:100

This is the default and good enough, but I thought explaining this option makes sense.

Explanation MaxStartups start:rate:full:
10 - number of allowed concurrent unauthenticated connections
30 - percentage chance of randomly dropping connections attempts after reaching start (10) and the chance increases linearly until the full (100) connections are reached
100 - maximum number of unauthenticated connections after every new attempt is getting dropped

The randomized connection dropping makes it more difficult to DOS the service with unauthenticated connections.

Side note: Please remember that this option can cause problems with automation and configuration tools or transferring tools that might authenticate slowly and require separate connections.

This option only affects pre-authentication connection and does not limit anything else. Additionally, it has nothing to do with the following option.

Restrict Multiplexing #

MaxSessions 10

This is the default, limits the ‘sessions’ for one SSH session to 10, and is fine for most cases. Nevertheless, I thought I’d write about some options.

This option simply limits the ‘sessions’ - as in shell, login, or subsystems like sftp - of a single network connection (TCP)/ SSH authentication. If this limit is reached, a user could simply open another connection.


You can disable multiplexing by setting this option to 1. Every shell, sftp connection, and so on, will then each require a TCP connection, which adds overhead, but can be helpful to limit the damage a highjacked session can do, increases visibility of the connections as they are separate, and therefore troubleshoot certain issues.

But please keep in mind that disabling multiplexing can cause problems and limits some functions! Automation and configuration tools like Chef, parallel transfers via scp, and other tools that need multiplexing could stop working.


Setting MaxSessions to 0 disables all shell, login, and subsystem sessions but still allows tunneling, port forwarding, or SOCKS proxying.

This option can be used to limit the permissions of a bastion/jump host user or group to a single task.

Set up a session timeout #

ClientAliveCountMax 3

ClientAliveInterval 120

The configuration above means that the session is terminated after 6 minutes of client inactivity. After 120 seconds without receiving any data from the client, the server will ask if the client is still there. If the client does not respond, the server will try it again in 120 seconds. If the client fails to answer 3 times, the session is getting terminated.

Hide Linux Version in identification string #

DebianBanner no

The Linux version is being added as a comment on the identification string. Debian and Debian derivates add it by default, RHEL distros do not (from my experience, CentOS+RockyOS).

It changes the identification string pre-authentication from SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.3 to SSH-2.0-OpenSSH_8.9p1.

Please note that the rest of the identification string must remain unchanged according to RFC 4253:

4.2.  Protocol Version Exchange

   When the connection has been established, both sides MUST send an
   identification string.  This identification string MUST be

      SSH-protoversion-software version SP comments CR LF

Disable tunneling and port forwarding #

AllowAgentForwarding no

AllowTcpForwarding no

PermitTunnel no

Disabling those functions makes it more difficult to use the server as a jump host to gain access to the connected networks, malicious or not. Most servers do not need those functions enabled, but to learn more, feel free to check my article about SSH tunneling and port forwarding.

Disable unused authentification methods #

KerberosAuthentication no

GSSAPIAuthentication no

ChallengeResponseAuthentication

It highly depends on your needs, but if an authentification method is unused, it should be disabled as it increases the attack surface to exploits and vulnerabilities.

Side note: Please ensure you don’t disable the only method you can log in to prevent a lockout.

Disable X11 Forwarding #

X11Forwarding no

The security concern here is that X11 forwarding opens a channel from the server to the client. In an X11 session, the server can send specific X11 commands to the client, which can be dangerous if the server is compromised. Source

Disable SFTP subsystem #

If you do not need SFTP, disable it. It decreases the attack surfaces and makes the system less vulnerable to security flaws.

Just comment out the Subsystem sftp [...] out of the config by placing a # at the beginning of the lines.

Disable insecure ciphers and MACs #

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

KexAlgorithms curve25519-sha256@libssh.org

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

There are even some more restrictive options, but I have not tested them myself.

Side note: Please note that some clients could encounter problems connecting to the server if they don’t support the same ciphers. Either update the software on the client or add ciphers that are supported by the client to the server.

Auditing tools like ssh-audit can tell you what is secure and what is not.

Host Server configurations #

I won’t go into detail in this section as it is not in the scope. I just reference methods that I have already covered and name others that can help you secure your server even further.


Methods:


General policies:


Special thanks to ruffy for recommending disabling X11 forwarding and the SFTP subsystem.




Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o