SSH Hardening Tips for Linux Administrators & Security Researchers

SSH, short for Secure SHell, is used to access remote desktops or systems in a secure way. SSH comes with a default configuration that is not at all secure. This blog helps in set up SSH service configuration securely.

Just remember to always restart the SSH service to update configuration after performing changes by using below command:

service sshd restart

(1) root user should be disabled

root user denotes a user having superuser access on a system. If attackers somehow access your root account on the system, it leads to disastrous consequences. Hence, It is advisable to disable root login.

Check options using below command:

less  /etc/ssh/sshd_config

The below settings prohibits password authentication and allows only passwordless authentication.

If you want to totally disable root authentication, just use no in front of PermitRootLogin

PermitRootLogin no

(2) Implement strong encryption algorithm while configuring secure shell

Cryptography is key to the confidentiality and integrity of the system. Below is the list of secure algorithms recommended by NIST:

AlgorithmType of AlgorithmSpecificationKey sizeUsage
Elliptic Curve Diffie-Hellman (ECDH) Key ExchangeAsymmetric algorithmNIST SP 800-56ACurve P-384key establishment
Advanced Encryption Standard (AES)Symmetric block cipher FIPS PUB 197256 bit keysinformation protection
Elliptic Curve Digital Signature Algorithm (ECDSA) Asymmetric algorithm FIPS Pub 186-4Curve P-384digital signature
Secure Hash Algorithm (SHA)Hashing techniqueFIPS Pub 180-4SHA-384convert any input into fixed size data
Diffie-Hellman (DH) Key ExchangeAsymmetric algorithm IETF RFC 35263072-bit moduluskey establishment
RSAAsymmetric algorithm FIPS PUB 186-43072 bit-moduluskey establishment
RSAAsymmetric algorithm NIST SP 800-56B rev 13072-bit modulusdigital signatures
source: https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm

Check which algorithms are supported by system by using below commands:

ssh -Q cipher

 ssh -Q kex

ssh -Q key

ssh -Q mac

(3) Configure passwordless logins

While authenticating SSH using username and password, both credentials are communicating via an encrypted channel. However, an attacker may try brute force against SSH username and password. If you are using the same desktop for SSH, you can configure passwordless login to access remote desktops/systems.

less  /etc/ssh/sshd_config

(4) Logging should be enabled in detailed mode

SSH server runs, IT system will produce the logging messages in sshd.log. Ensure enabling logging in detailed mode.

(5) Always configure banners for warning

It is recommended to create a banner for users who are trying to accessing the system using SSH.

(6) Configure automatic logout

Look sshd_config file, change below options:

ClientAliveInterval 0
ClientAliveCountMax 3

ClientAliveInterval determine the time to keep the connection alive. ClientAliveCountMax is the limit of to stay unresponsive before being disconnected. This will configure automatic logout if user login remote using SSH protocol.

ClientAliveInterval 300
ClientAliveCountMax 2

(7) Change default SSH port

SSH default port is 22. You can check by just look by below command:

less  /etc/ssh/sshd_config 

It is recommended to change it to some different port number. This particular step just increase the little time of attacker to identify open SSH port.

Port 2123

(8) Disable X11 forwarding

X11forwarding allows remote users to access GUI based application like browser if configuration is similar to below command in sshd_config:

X11Forwarding yes

If you want to disallow, just change the option to no

X11Forwarding no

(9) Check SSH Protocol 1 is disabled

Protocol 1 is original version of SSH and now considered as insecure. Protocol 1 is currently used for legacy systems. You can check configuration by looking in to the file /etc/ssh/sshd_config file. If Protocol 1 or Protocol 1, 2 available, then it may be vulnerable to different CVEs which is application for SSH Protocol 1.

less /etc/ssh/sshd_config

Just change and allow only Protocol 2

Protocol 2

(10) Username/Password login should be disabled

Password based authentication is an insecure wat of authentication. You can check same just by audit sshd_config file. If you found below option, that simply means system is allowing password based authentication.

PasswordAuthentication yes

Just change it to no to disable it.

PasswordAuthentication no

Conclusion

This blog gives a brief overview of configuration of SSH hardening steps to secure it from bad people. As told in beginning, always restart the SSH service to update configurations.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.