Twenty Steps to obtain SSH Hardening

by Anish

Posted on Thursday January 24



The OpenSSH server reads a configuration file from /etc/ssh/sshd_configwhen it's started. The default values for /etc/ssh/sshd_configin OpenSSH are quite restrictive and need to be further tuned to meet the demand of the current security need for the production environment and being compliance with governance requirement like PCI/DSS, HIPPA etc.

You will need to be root or use sudo to edit and control the SSH server.

Usually this is done by editing the default configuration file to change and more harden configuration for example.

It is always a good idea to make a backup of any configuration files before editing them.

cp /etc/ssh/sshd_config /etc/ssh/backup.sshd_config

To disable passwords for root, but still allow key-based access without forced command, use:

PermitRootLogin prohibit-password

To disable passwords and only allow key-based access with a forced command, use:

PermitRootLogin forced-commands-only

To disable root login for the key-based access also and prompting the message

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"alibabacloud\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDePRIy/ ECS 

1. The /etc/ssh/moduli

The /etc/ssh/modulifile usually contains several different entries called groups and sshd picks one randomly for each session. As shown in the below diagram the 1024 bits simply don't offer sufficient security margin.

enter image description here

OpenSSH supports 13 key exchange methods

SL no Key Exchange Method Name Implement
1 curve25519-sha256 SHOULD
2 diffie-hellman-group-exchange-sha1 MUST NOT
3 diffie-hellman-group1-sha1 MUST NOT
4 diffie-hellman-group14-sha1 SHOULD-
5 diffie-hellman-group14-sha256 MUST
6 diffie-hellman-group16-sha512 SHOULD
7 ecdh-sha2-nistp256 SHOULD
8 gss-gex-sha1-* MUST NOT
9 gss-group1-sha1-* MUST NOT
10 gss-group14-sha1-* SHOULD
11 gss-group14-sha256-* SHOULD
12 gss-group16-sha512-* SHOULD
13 rsa1024-sha1 MUST NOT

If option 4 is selected then delete the lines from the 5thcolumn from the file /etc/ssh/moduli where bit size is less than 2000

awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
wc -l "${HOME}/moduli" # make sure there is something left
mv "${HOME}/moduli" /etc/ssh/moduli

If this file doesn't exist then generate a strong DH key size, higher bit size means more secure keys and less likely to break

ssh-keygen -G /etc/ssh/moduli.all -b 4096
ssh-keygen -T /etc/ssh/ -f /etc/ssh/moduli.all
mv /etc/ssh/ /etc/ssh/moduli
rm /etc/ssh/moduli.all

Recommended KexAlgorithms /etc``/ssh/sshd_config :

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256

2. Allow/Deny rules

Do consider SSH access control mechanism, Once you add one AllowUsers rule, then the only users allowed to login via SSH are the listed ones:

User Based Logins

AllowUsers user1
AllowUsers user2 

Host based Logins

AllowUsers *
AllowUsers * 

Domain Based Logins

AllowUsers *@* 

3. Black List with PAM

pam_abl is a pam module designed to automatically block hosts which are attempting a brute force attack

# /etc/security/pam_abl.conf

*:10/1h,30/1d:means block any user (*) if they are responsible for ten or more failed authentication attempts in the last hour or thirty or more failed attempts in the last day.

4. Chroot Directory

This will give a client access to the server, but limit those users to their home directories, and it's a powerful feature and serve many secure use case like To chroot an SFTP directory

Create an user and force root to be owner of it

cd /home
mkdir ftp
useradd -d /home/ftp -M -N -g users ftp
sudo chown root:root /home/ftp
sudo chmod 755 /home/ftp

Change the subsystem location on /etc/ssh/sshd_config:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

and create a user section at the end of the file

Match User john
    ChrootDirectory /home/ftp
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

5. Force SSHv2 Protocol

Protocol 2

6. HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

7. Use secure ciphers and MACs

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

8. Disable unused authentication schemes

RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

9. Disable root SSH access

PermitRootLogin no
PermitEmptyPasswords no

10. Public key authentication & Password authentication:

Tune it according to your environment like only key based authentication

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password

11. Enable Logging

Logging provide traceability and enable the audit for the users.

SyslogFacility AUTH
LogLevel INFO

12. Authentication must happen within 20 seconds

LoginGraceTime 20

13. Reduce Timeout Intervals

# Sets a timeout interval in seconds, default is 15 
ClientAliveInterval 40

# Sets the number of client alive messages, default value is 3 
ClientAliveCountMax 3

14. Deny Empty Password

# Don't allows login to accounts with empty password, The default value is no
passworPermitEmptyPasswords no

15. Fail2Ban

Fail2ban can scan logs and ban temporarily ban IPs based on possible malicious activity.You will need to install Fail2ban.

sudo apt-get install fail2ban
sudo yum install fail2ban

copy the fail2ban configuration file.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the /etc/fail2ban/jail.local files and find the spot that starts [sshd].Edit it like so, adding enabled = true:

enabled  = true
port    = ssh
logpath = %(sshd_log)s

Then restart fail2ban

service fail2ban restart

Fail2ban will monitor your SSH logs for possible malicious activity and then temporarily ban the source IP.

16. Audit your current Ciphers

$ ssh -Q cipher
[email protected]
[email protected]
[email protected]
[email protected]

17. Audit supported MAC's

[[email protected] ~]# ssh -Q mac
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

18. Audit Suported Key

$ ssh -Q  key
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

19. Automate the Process

Systems will added/deleted over the time, when the inventory is changing rapidly , go towards automation of the SSH-key management which include.

  1. Automated discovery of all SSH keys and configuration information

  2. Automation of adding, configuring, removing, and rotating SSH keys.

  3. Provide continuous monitoring of SSH keys

  4. Enable forensic-level analysis by logging of all relevant operations and management actions

  5. Audit.

Restart SSHD

Any changes in the file /etc/ssh/sshd_config requires restart of the SSH service.

/sbin/service sshd restart

/etc/init.d/sshd restart

if i Missed out any rules, post a comment, I will add in the List

Generate SSH Key Online (RSA/DSA/ECDSA)

Thanku for reading !!! Give a Share for Support

Asking for donation sound bad to me, so i'm raising fund from The Modern Cryptography CookBook for Just $9. Leanpub books Discount coupon first 100 reader. No hurry read the sample chapters here then decide.

Alternatively to support you can buy My all four Cryptography book Just $10.99

  • The Modern Cryptography Book.
  • Go lang Cryptography for developers
  • Python Cryptography
  • Cryptography for JavaScript Developer

python Cryptography Topics
For Coffee/ Beer/ Amazon Bill and further development of the project Support by Purchasing, The Modern Cryptography CookBook for Just $9 Coupon Price

Kubernetes for DevOps

Cryptography for Python Developers

Cryptography for JavaScript Developers

Go lang ryptography for Developers