Skip to main content

SSH server hardening

We all know that it is important to secure your machines. I am going to show you some ways to do so. Some are trivial and should be set immediately, and some require some more work. Part 2 will follow with the advanced options.

I'll use a random Linux machine with a SSH server as reference (OpenBSD Secure Shell server according to systemd and config file). For the upcoming changes of the config, I have to edit /etc/ssh/sshd_config. It might differ from your setup.

Before we start

Please make sure that you test it on another machine first or have another way to access the machine. There are options to lock you out if it is not set up correctly!

And just as a side note: every change of the config file requires are restart of the SSH server.

Disable login attempts with empty passwords

PermitEmptyPasswords no

Fairly self-explanatory, but just to make sure: allowing any account without a password to log into the system is a big no-no and should be turned off immediately.

Changing the ssh port

Port 2109

Well, some people think it is totally necessary, and some think it is totally useless to change the ssh port. It might not help against targeted attacks or scans, but it can help to avoid mass scans, bots, and script kiddies. Just remember to change the destination port on your clients as it deviates from the default 22.

Disable root login

PermitRootLogin no

Nobody should use the server as root, and therefore nobody should be able to login a root via ssh. Just to make sure you have an user with sudo created on the machine.

Disable SSHv1 and use SSHv2

Protocol 2

SSHv2 is usually the default, but it is worth to make sure.

Set idle timeout interval

ClientAliveInterval 1800

The server uses this interval to check if the connection is still used, and terminates the session when the client doesn't respond. With ClientAliveCountMax you can decide how often the server should send this message.

The used unit of the interval is seconds. I usually use 1800 seconds - or half an hour - but some suggest something way lower.

Restrict access to specific users or/and groups

AllowUsers a_this a_that AllowGroups ssh_login

This is fairly straight-forward and should be used. Just create a group like ssh_login and put the user into it if said user should be allowed to login in via ssh. With that, you don't have to edit the config file every time.

Set an authentication timer

LoginGraceTime 20

The authentication must happen in 20 seconds. The default is 2 minutes. This setting is not that important in my opinion.

Disable insecure ciphers and MACs
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

There are even some more restrict options, but I have not tested them myself.

Advanced options

I am going to write about more advanced hardening options that require more work and auditing your SSH access.

Some things I will cover and are worth to look into it:
Public key authentication
Fail2Ban
Logging
Auditing


E-Mail hellofoo@ittafoovern.comcom
Twitter ITTavernCom
Matrix #lounge:matrix.ittavern.com