Post

SSH Server Hardening

Guide for hardening SSH server on a Linux machine.

  1. Enable Certificate Based Authentication
  2. Disable Password Authentication
  3. Disable Empty Passwords
  4. Disable Root Login
  5. Change Default SSH Port
  6. Only Allow Selected Users and/or Groups
  7. Disable X11 Forwarding
  8. Disable GatewayPorts
  9. Disable PermitUserEnvironment
  10. Disable Weak Cryptographic Algorithms
  11. Regenerate RSA & ED25519 Host Keys
  12. Disable DSA HostKeys
  13. Disable Small Diffie-Hellman Key Sizes
  14. Disable SSHv1
  15. SSH Hardening Resources

Enable Certificate Based Authentication

1
PubkeyAuthentication yes

Disable Password Authentication

1
PasswordAuthentication no

Disable Empty Passwords

1
PermitEmptyPasswords no

Disable Root Login

1
PermitRootLogin no

Change Default SSH Port

1
Port 23456

Only Allow Selected Users and/or Groups

1
2
AllowUsers user1 user2
AllowGroups group1 group2
  • You can also deny access to certain users and groups with DenyUsers and DenyGroups respectively.

Disable X11 Forwarding

1
X11Forwarding no

Disable GatewayPorts

1
GatewayPorts no

Disable PermitUserEnvironment

1
PermitUserEnvironment no

Disable Weak Cryptographic Algorithms

Hardened configuration

1
2
3
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

Extra-Hardened configuration

1
2
3
Ciphers [email protected],aes256-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],hmac-sha2-512

Supported algorithms can be tested using nmap:

1
nmap -sV --script ssh2-enum-algos -p PORT TARGET
  • PORT is 22 by default. The -p flag can be excluded if you are using port 22.

Regenerate RSA & ED25519 Host Keys

1
2
3
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable DSA HostKeys

1
#HostKey /etc/ssh/ssh_host_dsa_key

Disable Small Diffie-Hellman Key Sizes

1
2
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

1
Protocol 2
  • This is not applicable to newer versions of OpenSSH, only older versions.

SSH Hardening Resources

More information about the rational and general hardening information can be found here:

This post is licensed under CC BY 4.0 by the author.