We all know that it is important to secure your machines. I am going to show you some ways to do so. Some are trivial and should be set immediately, and some require some more work. Part 2 will follow with the advanced options.
I'll use a random Linux machine with a SSH server as reference (
OpenBSD Secure Shell server according to systemd and config file). For the upcoming changes of the config, I have to edit
/etc/ssh/sshd_config. It might differ from your setup.
Before we start
Please make sure that you test it on another machine first or have another way to access the machine. There are options to lock you out if it is not set up correctly!
And just as a side note: every change of the config file requires are restart of the SSH server.
Disable login attempts with empty passwords
Fairly self-explanatory, but just to make sure: allowing any account without a password to log into the system is a big no-no and should be turned off immediately.
Changing the ssh port
Well, some people think it is totally necessary, and some think it is totally useless to change the ssh port. It might not help against targeted attacks or scans, but it can help to avoid mass scans, bots, and script kiddies. Just remember to change the destination port on your clients as it deviates from the default
Disable root login
Nobody should use the server as root, and therefore nobody should be able to login a root via ssh. Just to make sure you have an user with sudo created on the machine.
Disable SSHv1 and use SSHv2
SSHv2 is usually the default, but it is worth to make sure.
Set idle timeout interval
The server uses this interval to check if the connection is still used, and terminates the session when the client doesn't respond. With
ClientAliveCountMax you can decide how often the server should send this message.
The used unit of the interval is seconds. I usually use 1800 seconds - or half an hour - but some suggest something way lower.
Restrict access to specific users or/and groups
AllowUsers a_this a_that
This is fairly straight-forward and should be used. Just create a group like
ssh_login and put the user into it if said user should be allowed to login in via ssh. With that, you don't have to edit the config file every time.
Set an authentication timer
The authentication must happen in 20 seconds. The default is 2 minutes. This setting is not that important in my opinion.
Disable insecure ciphers and MACs
Ciphers email@example.com,firstname.lastname@example.org,email@example.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms firstname.lastname@example.org MACs email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256
There are even some more restrict options, but I have not tested them myself.
I am going to write about more advanced hardening options that require more work and auditing your SSH access.
- Some things I will cover and are worth to look into it:
- Public key authentication
E-Mail hello @itta vern. com