SSH server hardening
We all know that it is important to secure your machines. I am going to show you some ways to do so. Some are trivial and should be set immediately, and some require more work. Part 2 will follow with the advanced options.
I'll use a random Linux machine with a SSH server as a reference (
OpenBSD Secure Shell server according to systemd and config file). For the upcoming config changes, I have to edit
/etc/ssh/sshd_config. It might differ from your setup.
Before we start
Please make sure that you test it on another machine first or have another way to access the machine. There are options to lock you out if it is not set up correctly!
And just as a side note: every change of the config file requires are restart of the SSH server.
Public key authentication
You can find a guide on how to use public key authentication in this post. I highly recommend to secure your server with public key authentication instead of password authentication.
Disable login attempts with empty passwords
Fairly self-explanatory, but to make sure: allowing any account without a password to log into the system is a big no-no and should be turned off immediately.
Changing the ssh port
Well, some people think it is necessary, and some think it is useless to change the ssh port. It might not help against targeted attacks or scans, but it can help to avoid mass scans, bots, and script kiddies. Just remember to change the destination port on your clients as it deviates from the default
Disable root login
Nobody should use the server as root, and therefore nobody should be able to login a root via ssh. To make sure you have an user with sudo created on the machine.
Disable SSHv1 and use SSHv2
SSHv2 is usually the default, but it is worth making sure.
Set idle timeout interval
The server uses this interval to check if the connection is still used and terminates the session when the client doesn't respond. With
ClientAliveCountMax you can decide how often the server should send this message.
The used unit of the interval in seconds. I usually use 1800 seconds - or half an hour - but some suggest something way lower.
Restrict access to specific users or/and groups
AllowUsers a_this a_that
This option is pretty straightforward and should be used. Just create a group like
ssh_login and put the user into it if said user should be allowed to login in via ssh. With that, you don't have to edit the config file every time.
Set an authentication timer
The authentication must happen in 20 seconds. The default is 2 minutes. This setting is not that important in my opinion.
Disable insecure ciphers and MACs
Ciphers email@example.com,firstname.lastname@example.org,email@example.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms firstname.lastname@example.org MACs email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256
There are even some more restrictive options, but I have not tested them myself.
Disable X11 Forwarding
The security concern here is that X11 forwarding opens a channel from the server to the client. In an X11 session, the server can send specific X11 commands to the client, which can be dangerous if the server is compromised. Source
Disable SFTP subsystem
If you do not need SFTP, disable it. It is another attack vector, and something that is not usable, is harder to breach.
Just comment out the
Subsystem sftp [...] out of the config.
I am going to write about more advanced hardening options that require more work and auditing your SSH access.
- Some things I will cover and are worth looking into it:
- Public key authentication
Special thanks to ruffy for recommending disabling X11 forwarding and the SFTP subsystem.
E-Mail hello @itta vern. com
- 17.01.2023 SSH Troubleshooting Guide
- 05.01.2023 SSH - run script or command at login
- 01.01.2023 Visual guide to SSH tunneling and port forwarding
- 14.12.2022 SSH - How to use public key authentication on Linux
- 13.03.2023 My Offsite Backup - March 2023
- 10.03.2023 Getting started with iperf3 - Network Troubleshooting
- 05.03.2023 ICMP echo requests on Linux and Windows - Reference Guide
- 14.02.2023 Simulate an unreliable network connection with tc and netem on Linux
- 08.02.2023 Detecting Rogue DHCP Server