motorscript.com

Security: Hardening SSH on Linux Server

Published:
SSH is an essential tool to remotely administrate servers. Although SSH is a very secure protocol, you are prone to brute-force attacks if you don't follow proper security measures. The following instructions can be employed to improve security of a SSH installation on a server with default configuration. It is assumed that the default settings which are secure haven't been already modified.

Warning: Incorrect SSH settings may lock you out of the server.

Harden SSH Configuration

Login to your server and start editing OpenSSH service configuration file: 
vi /etc/ssh/sshd_config

Update the port for SSH service

Port 23456
Use a port number in the range 1024-49151. Although networking tools can easily detect open ports, this may prevent bots and humans only trying to penetrate on the default port - 22.

Use the following HostKey configuration

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

Change default Key Exchange algorithms and Ciphers

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]
(Recommended by Mozilla)

Enable Verbose Logging

LogLevel VERBOSE

Disable Remote Root Login

PermitRootLogin no

Only Allow Specific Users to SSH

AllowUsers username1 username2

Disable X11Forwarding

X11Forwarding no
Because you probably don't need GUIs on server.

Automatically Disconnect Idle Sessions

ClientAliveInterval 300
ClientAliveCountMax 0
SSH sessions will disconnect when no data is received for 5 minutes.

Disable Password Authentication

PasswordAuthentication no
This prevents brute-force login attacks. You will have to use key pair to authenticate.

Confirm if you can make new SSH connections to the server using the current configuration before exiting your current SSH session.

For older versions of OpenSSH, please refer to this Mozilla Guideline.

Create an included SSH config file

You can also create a separate conf file and include it in your base sshd configuration file /etc/ssh/sshd_config. Recent installations are already configured to include all configurations from the directory /etc/ssh/sshd_config.d/. 
vi /etc/ssh/sshd_config.d/add.conf
#AllowUsers username1 username2
#Port 23456
PermitRootLogin no
X11Forwarding no

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]

LogLevel VERBOSE

ClientAliveInterval 300
ClientAliveCountMax 0

PasswordAuthentication no

Generate Private/Public Key Pair

On your local computer, generate new SSH key pair. You may want to backup your existing key pairs or create the new pair in a different location. Use a passphrase you can retrieve later while adding this SSH key to your agent. 
ssh-keygen -t rsa
Add the new SSH private key to your SSH agent. 
ssh-add ~/.ssh/id_rsa
Use the path you generated the key pairs in.

Copy the contents of id_rsa.pub.

On the server, paste it to ~/.ssh/authorized_keys

You should now be able to securely SSH into the server without using a password.

Other Security Measures

Only allow certain sets of IP to SSH

Edit hosts.allow to add allow-list. 
vi /etc/hosts.allow
sshd: 192.168.1.5, 94.1.1.1/12, 10.65.140.23/32
You can use single IP address or a range.

Block certain IP or range of IPs

If brute-force attacks are coming regularly from a certain IP or range, you can block all such incoming connections to your server.

Edit hosts.deny to add block-list.

vi /etc/hosts.deny
sshd: 192.168.1.5, 94.1.1.1/12, 10.65.140.23/32

Login Banner

A login banner can be used to warn intruders of legal consequences. It can also be used to remind legitimate users of their responsibilities and obligations.

For displaying a message after a user logs in: 

vi /etc/motd

Firewall and other tools

A firewall is also a good solution to filter connections for various protocols including SSH. Firewalls and services like fail2ban can be used to block illicit connections to the server.

Refer to this article to view futher tips to harden your server.