SSH Server Hardening
Guide for hardening SSH server on a Linux machine.
- Enable Certificate Based Authentication
- Disable Password Authentication
- Disable Empty Passwords
- Disable Root Login
- Change Default SSH Port
- Only Allow Selected Users and/or Groups
- Disable X11 Forwarding
- Disable GatewayPorts
- Disable PermitUserEnvironment
- Disable Weak Cryptographic Algorithms
- Regenerate RSA & ED25519 Host Keys
- Disable DSA HostKeys
- Disable Small Diffie-Hellman Key Sizes
- Disable SSHv1
- SSH Hardening Resources
Enable Certificate Based Authentication
1
PubkeyAuthentication yes
Disable Password Authentication
1
PasswordAuthentication no
Disable Empty Passwords
1
PermitEmptyPasswords no
Disable Root Login
1
PermitRootLogin no
Change Default SSH Port
1
Port 23456
Only Allow Selected Users and/or Groups
1
2
AllowUsers user1 user2
AllowGroups group1 group2
- You can also deny access to certain users and groups with
DenyUsers
andDenyGroups
respectively.
Disable X11 Forwarding
1
X11Forwarding no
Disable GatewayPorts
1
GatewayPorts no
Disable PermitUserEnvironment
1
PermitUserEnvironment no
Disable Weak Cryptographic Algorithms
Hardened configuration
1
2
3
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
Extra-Hardened configuration
1
2
3
Ciphers [email protected],aes256-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],hmac-sha2-512
Supported algorithms can be tested using nmap:
1
nmap -sV --script ssh2-enum-algos -p PORT TARGET
PORT
is 22 by default. The-p
flag can be excluded if you are using port 22.
Regenerate RSA & ED25519 Host Keys
1
2
3
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
Disable DSA HostKeys
1
#HostKey /etc/ssh/ssh_host_dsa_key
Disable Small Diffie-Hellman Key Sizes
1
2
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli
Disable SSHv1
1
Protocol 2
- This is not applicable to newer versions of OpenSSH, only older versions.
SSH Hardening Resources
More information about the rational and general hardening information can be found here:
This post is licensed under CC BY 4.0 by the author.