SSH Hardening Tips for Linux Administrators & Security Researchers

SSH, short for Secure SHell, is used to access remote desktops or systems in a secure way. SSH comes with a default configuration that is not at all secure. This blog helps in set up SSH service configuration securely.

Just remember to always restart the SSH service to update configuration after performing changes by using below command:

service sshd restart

(1) root user should be disabled

root user denotes a user having superuser access on a system. If attackers somehow access your root account on the system, it leads to disastrous consequences. Hence, It is advisable to disable root login.

Check options using below command:

less  /etc/ssh/sshd_config

The below settings prohibits password authentication and allows only passwordless authentication.

If you want to totally disable root authentication, just use no in front of PermitRootLogin

PermitRootLogin no

(2) Implement strong encryption algorithm while configuring secure shell

Cryptography is key to the confidentiality and integrity of the system. Below is the list of secure algorithms recommended by NIST:

Algorithm	Type of Algorithm	Specification	Key size	Usage
Elliptic Curve Diffie-Hellman (ECDH) Key Exchange	Asymmetric algorithm	NIST SP 800-56A	Curve P-384	key establishment
Advanced Encryption Standard (AES)	Symmetric block cipher	FIPS PUB 197	256 bit keys	information protection
Elliptic Curve Digital Signature Algorithm (ECDSA)	Asymmetric algorithm	FIPS Pub 186-4	Curve P-384	digital signature
Secure Hash Algorithm (SHA)	Hashing technique	FIPS Pub 180-4	SHA-384	convert any input into fixed size data
Diffie-Hellman (DH) Key Exchange	Asymmetric algorithm	IETF RFC 3526	3072-bit modulus	key establishment
RSA	Asymmetric algorithm	FIPS PUB 186-4	3072 bit-modulus	key establishment
RSA	Asymmetric algorithm	NIST SP 800-56B rev 1	3072-bit modulus	digital signatures

Check which algorithms are supported by system by using below commands:

ssh -Q cipher

 ssh -Q kex

ssh -Q key

ssh -Q mac

(3) Configure passwordless logins

While authenticating SSH using username and password, both credentials are communicating via an encrypted channel. However, an attacker may try brute force against SSH username and password. If you are using the same desktop for SSH, you can configure passwordless login to access remote desktops/systems.

less  /etc/ssh/sshd_config

(4) Logging should be enabled in detailed mode

SSH server runs, IT system will produce the logging messages in sshd.log. Ensure enabling logging in detailed mode.

(5) Always configure banners for warning

It is recommended to create a banner for users who are trying to accessing the system using SSH.

(6) Configure automatic logout

Look sshd_config file, change below options:

ClientAliveInterval 0
ClientAliveCountMax 3

ClientAliveInterval determine the time to keep the connection alive. ClientAliveCountMax is the limit of to stay unresponsive before being disconnected. This will configure automatic logout if user login remote using SSH protocol.

ClientAliveInterval 300
ClientAliveCountMax 2

(7) Change default SSH port

SSH default port is 22. You can check by just look by below command:

less  /etc/ssh/sshd_config 

It is recommended to change it to some different port number. This particular step just increase the little time of attacker to identify open SSH port.

Port 2123

(8) Disable X11 forwarding

X11forwarding allows remote users to access GUI based application like browser if configuration is similar to below command in sshd_config:

X11Forwarding yes

If you want to disallow, just change the option to no

X11Forwarding no

(9) Check SSH Protocol 1 is disabled

Protocol 1 is original version of SSH and now considered as insecure. Protocol 1 is currently used for legacy systems. You can check configuration by looking in to the file /etc/ssh/sshd_config file. If Protocol 1 or Protocol 1, 2 available, then it may be vulnerable to different CVEs which is application for SSH Protocol 1.

less /etc/ssh/sshd_config

Just change and allow only Protocol 2

Protocol 2

(10) Username/Password login should be disabled

Password based authentication is an insecure wat of authentication. You can check same just by audit sshd_config file. If you found below option, that simply means system is allowing password based authentication.

PasswordAuthentication yes

Just change it to no to disable it.

PasswordAuthentication no

Conclusion

This blog gives a brief overview of configuration of SSH hardening steps to secure it from bad people. As told in beginning, always restart the SSH service to update configurations.