Post

SSH Server Hardening

Posted Updated
By Alexander Wells
1 min read

Guide for hardening SSH server on a Linux machine.

  1. Enable Certificate Based Authentication
  2. Disable Password Authentication
  3. Disable Empty Passwords
  4. Disable Root Login
  5. Change Default SSH Port
  6. Only Allow Selected Users and/or Groups
  7. Disable X11 Forwarding
  8. Disable GatewayPorts
  9. Disable PermitUserEnvironment
  10. Disable Weak Cryptographic Algorithms
  11. Regenerate RSA & ED25519 Host Keys
  12. Disable DSA HostKeys
  13. Disable Small Diffie-Hellman Key Sizes
  14. Disable SSHv1
  15. SSH Hardening Resources

Enable Certificate Based Authentication

1

PubkeyAuthentication yes

Disable Password Authentication

1

PasswordAuthentication no

Disable Empty Passwords

1

PermitEmptyPasswords no

Disable Root Login

1

PermitRootLogin no

Change Default SSH Port

1

Port 23456

Only Allow Selected Users and/or Groups

1
2

AllowUsers user1 user2
AllowGroups group1 group2
  • You can also deny access to certain users and groups with DenyUsers and DenyGroups respectively.

Disable X11 Forwarding

1

X11Forwarding no

Disable GatewayPorts

1

GatewayPorts no

Disable PermitUserEnvironment

1

PermitUserEnvironment no

Disable Weak Cryptographic Algorithms

Hardened configuration

1
2
3

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

Extra-Hardened configuration

1
2
3

Ciphers aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512

Supported algorithms can be tested using nmap:

1

nmap -sV --script ssh2-enum-algos -p PORT TARGET
  • PORT is 22 by default. The -p flag can be excluded if you are using port 22.

Regenerate RSA & ED25519 Host Keys

1
2
3

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable DSA HostKeys

1

#HostKey /etc/ssh/ssh_host_dsa_key

Disable Small Diffie-Hellman Key Sizes

1
2

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

1

Protocol 2
  • This is not applicable to newer versions of OpenSSH, only older versions.

SSH Hardening Resources

More information about the rational and general hardening information can be found here:

security, ssh
security ssh cryptography
This post is licensed under CC BY 4.0 by the author.