by peter

Share

Hardening SSH on Linux – a simple how to guide

Hardening SSH on Linux, or any other operating system is very important. SSH is one of the most common methods of accessing remote servers. SSH is also one of the most common reasons behind compromised Linux servers.

Don’t get me wrong. SSH (Secure Shell) is a pretty secure protocol by design but this doesn’t mean you should leave it at default configuration.

In this guide, I’ll share some practical ways to improve SSH security and thus securing your Linux servers.

Disable empty passwords

It is possible to have user accounts in Linux without any passwords. If those users try to use SSH, they won’t need passwords for accessing the server via SSH as well.

That’s a security risk. You should forbid the use of empty passwords. In the /etc/ssh/sshd_config file, make sure to set PermitEmptyPasswords option to no.

PermitEmptyPasswords no

Change default SSH ports

The default SSH port is 22 and most of the attack scripts check are written around this port only. Changing the default SSH port should add an additional security layer because the number of attacks (coming to port 22) may reduce.

Search for the port information in the config file and change it to something different:

Port 20022

You must remember or note down the port number otherwise you may also not access your servers with SSH.

Disable root login via SSH

If you have sudo users added on your system, you should use that sudo user to access the server via SSH instead of root.

You can disable the root login by modifying the PermitRootLogin option and setting it as no:

PermitRootLogin no

Disable ssh protocol 1

This is if you are using an older Linux distribution. Some older SSH version might still have SSH protocol 1 available. This protocol has known vulnerabilities and must not be used.

Newer SSH versions automatically have SSH protocol 2 enabled but no harm in double checking it.

Protocol 2

Configure idle timeout interval

The idle timeout interval is the amount of time an SSH connection can remain active without any activity. Such idle sessions are also a security risk. It is a good idea to configure idle timeout interval.

The timeout interval is count in seconds and by default it is 0. You may change it to 300 for keeping a five minute timeout interval.

ClientAliveInterval 300

After this interval, the SSH server will send an alive message to the client. If it doesn’t get a response, the connection will be closed and the end user will be logged out.

You may also control how many times it sends the alive message before disconnecting:

ClientAliveCountMax 2

Allow SSH access to selected users only

An approach here would be to allow SSH access to a selected few users and thus restricting for all the other users.

AllowUsers User1 User2

You may also add selected users to a new group and allow only this group to access SSH.

AllowGroups ssh_group

You may also use the DenyUsers and DenyGroups to deny SSH access to certain users and groups.

Disable X11 Forwarding

The X11 or the X display server is the basic framework for a graphical environment. The X11 forwarding allows you to use a GUI application via SSH.

Basically, the client runs the GUI application on the server but thanks to X11 forwarding, a channel is opened between the machines and the GUI applications is displayed on the client machine.

The X11 protocol is not security oriented. If you don’t need it, you should disable the X11 forwarding in SSH.

X11Forwarding no

Stop brute force attacks automatically

To stop SSH bruteforce attacks, you can use a security tool like Fail2Ban.

Fail2Ban checks the failed login attempts from different IP addresses. If these bad attempts cross a threshold within a set time interval, it bans the IP from accessing SSH for a certain time period.

You can configure all these parameters as per your liking and requirement. I have written a detailed introductory guide on using Fail2Ban which you should read.

Disable password based SSH login

No matter how much you try, you’ll always see bad login attempts via SSH on your Linux server. The attackers are smart and the scripts they use often take care of the default settings of Fail2Ban like tools.

To get rid of the constant brute force attacks, you can opt for only key-based SSH login.

In this approach, you add the public key of the remote client systems to the known keys list on the SSH server. This way, those client machines can access SSH without entering the user account password.

When you have this setup, you can disable password based SSH login. Now, only the clients machines that have the specified SSH keys can access the server via SSH.

Before you go for this approach, make sure that you have added your own public key to the server and it works. Otherwise, you’ll lock yourself out and may lose access to the server.

Read this detailed tutorial to learn how to disable password based SSH authentication.

Two-factor authentication with SSH

To take SSH security to the next level, you may also enable two-factor authentication. In this approach, you receive a one-time password on your mobile phone, email or through a third-party authentication app.

You may read about setting up two-factor authentication with SSH here.

Conclusion

You can see all the parameters of your SSH server using this command:

sshd -T

This way, you can easily see if you need to change any parameter to enhance the security of the SSH server.

You should also keep the SSH install and system updated.

I have listed some practical ways of SSH hardening. Of course, there can be several other ways you can secure SSH and your Linux server. It’s not possible to list all of them in a single article.

Below is a complete version of our SSH configuration file:

#Port 22
KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
AllowGroups ssh
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server