Near Perfect SSH Configuration

On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the service is linked through to a centralised password management solution such as Active Directory.

To aid in remediation, here is Peter Bassill’s recommended SSH configuration:

Port 22
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
Protocol 2

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key

UsePrivilegeSeparation sandbox
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 60
PermitRootLogin no
AllowUsers [insert named individuals who actually need SSH access]
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/banner
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes