SSH Hardening - The Basics

Comprehensive Guide to Hardening SSH on Debian-Based Systems

Table of Contents

• Introduction to SSH
• Update SSH Software
• Disable Root Login
• Use Key-Based Authentication
• Change the Default SSH Port
• Restrict User Access
• Configure Idle Timeout
• Disable Unnecessary Features
• Use Strong Encryption Algorithms
• Enable Fail2Ban
• Implement Two-Factor Authentication (2FA)
• Monitor and Audit SSH Access
• Regularly Rotate SSH Keys
• Use a Bastion Host
• Test Your Configuration
• Advanced sshd_config Settings

Introduction to SSH

SSH (Secure Shell) is a cryptographic network protocol used for secure communication over an unsecured network. It allows users to securely access and manage remote systems, transfer files, and execute commands. SSH was developed in 1995 by Tatu Ylönen as a replacement for insecure protocols like Telnet and rsh.

SSH is widely used in system administration, cloud computing, and DevOps. However, its popularity also makes it a common target for attackers. By hardening your SSH configuration, you can significantly reduce the risk of unauthorized access and ensure the security of your systems.

Update SSH Software

Keeping your SSH software up to date is the first step in securing your system. Updates often include security patches for known vulnerabilities.

sudo apt update
sudo apt upgrade openssh-server

Additional Considerations: Enable automatic security updates to ensure SSH stays up to date:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Disable Root Login

Allowing root login over SSH is a significant security risk. Disable it to force attackers to guess both a username and password.

sudo nano /etc/ssh/sshd_config

Find the line #PermitRootLogin yes and change it to:

PermitRootLogin no

Save and exit the file, then restart the SSH service:

sudo systemctl restart sshd

Additional Considerations: Use a non-root user with sudo privileges for administrative tasks.

Use Key-Based Authentication

Key-based authentication is more secure than passwords because it uses cryptographic keys instead of easily guessable passwords.

Generate an SSH key pair on the client machine:

ssh-keygen -t ed25519 -a 100

Copy the public key to the server:

ssh-copy-id username@server_ip

Disable password authentication:

sudo nano /etc/ssh/sshd_config
PasswordAuthentication no

Restart the SSH service:

sudo systemctl restart sshd

Additional Considerations: Use a passphrase for your private key and consider using a hardware security key (e.g., YubiKey).

Change the Default SSH Port

Changing the default SSH port (22) reduces exposure to automated scans and brute-force attacks.

sudo nano /etc/ssh/sshd_config
Port 2222  # Replace 2222 with a non-standard port

Update firewall rules:

sudo ufw allow 2222/tcp
sudo ufw reload

Restart the SSH service:

sudo systemctl restart sshd

Additional Considerations: Choose a port number above 1024 to avoid conflicts with well-known ports.

Restrict User Access

Limit SSH access to specific users or groups to minimize the attack surface.

sudo nano /etc/ssh/sshd_config
AllowUsers user1 user2
AllowGroups sshusers

Restart the SSH service:

sudo systemctl restart sshd

Additional Considerations: Create a dedicated group for SSH users:

sudo groupadd sshusers
sudo usermod -aG sshusers user1

Configure Idle Timeout

Automatically disconnect idle sessions to reduce the risk of unauthorized access.

sudo nano /etc/ssh/sshd_config
ClientAliveInterval 300  # 5 minutes
ClientAliveCountMax 2    # Disconnect after 2 intervals (10 minutes)

Restart the SSH service:

sudo systemctl restart sshd

Disable Unnecessary Features

Disable features like X11 forwarding, TCP forwarding, and agent forwarding unless explicitly needed.

sudo nano /etc/ssh/sshd_config
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no

Restart the SSH service:

sudo systemctl restart sshd

Use Strong Encryption Algorithms

Configure SSH to use only secure cryptographic algorithms.

sudo nano /etc/ssh/sshd_config
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Restart the SSH service:

sudo systemctl restart sshd

Enable Fail2Ban

Fail2Ban automatically blocks IP addresses that repeatedly fail SSH authentication.

sudo apt install fail2ban
sudo nano /etc/fail2ban/jail.local

Add the following:

[sshd]
enabled = true
maxretry = 3
bantime = 1h

Restart Fail2Ban:

sudo systemctl restart fail2ban

Implement Two-Factor Authentication (2FA)

Add an extra layer of security with 2FA using Google Authenticator.

sudo apt install libpam-google-authenticator
google-authenticator

Configure SSH to use 2FA:

sudo nano /etc/pam.d/sshd
auth required pam_google_authenticator.so

sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Restart the SSH service:

sudo systemctl restart sshd

Monitor and Audit SSH Access

Regularly monitor SSH logs for suspicious activity.

sudo tail -f /var/log/auth.log

Additional Considerations: Use a centralized logging solution (e.g., SIEM) for advanced monitoring.

Regularly Rotate SSH Keys

Periodically generate and replace SSH keys to minimize the impact of key compromise.

ssh-keygen -t ed25519 -a 100

Replace the old public key on the server with the new one.

Use a Bastion Host

A bastion host acts as a single entry point for SSH access, reducing the attack surface.

Set up a dedicated server as the bastion host and restrict SSH access to it.

Test Your Configuration

After making changes, test your SSH configuration to ensure everything works as expected.

sudo sshd -t

Attempt to connect to the server using the new settings.

Advanced sshd_config Settings

Here are additional settings to further harden your SSH server: