A nearly perfect SSH2 configuration to keep you secure


On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the service is linked through to a centralised password management solution such as Active Directory.

A nearly perfect SSH2 configuration to keep you secure

Posted on 2019-07-01 by Peter Bassill in category News.


Guides   Remediation   Data Protection  


On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the service is linked through to a centralised password management solution such as Active Directory.


To aid in remediation, here is Peter Bassill’s recommended SSH configuration:


Port 22KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256Ciphers aes256-ctrMACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256Protocol 2HostKey /etc/ssh/ssh_host_ed25519_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_rsa_keyUsePrivilegeSeparation sandboxKeyRegenerationInterval 3600ServerKeyBits 1024SyslogFacility AUTHLogLevel INFOLoginGraceTime 60PermitRootLogin noAllowUsers [insert named individuals who actually need SSH access]StrictModes yesRSAAuthentication yesPubkeyAuthentication yesIgnoreRhosts yesRhostsRSAAuthentication noHostbasedAuthentication noPermitEmptyPasswords noChallengeResponseAuthentication noX11Forwarding no>X11DisplayOffset 10PrintMotd yesPrintLastLog yesTCPKeepAlive yesBanner /etc/bannerAcceptEnv LANG LC_*Subsystem sftp /usr/lib/openssh/sftp-serverUsePAM yes


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?