How to Secure SSH Server
How to Secure SSH Server

Guide How to Secure SSH Server

Secure SSH Server

Secure SSH Server on a Linux system can be a simple task or a pain in the ass. Today I will share some configurations to help secure an SSH server, the focus here isn’t explain what is the SSH protocol but how it can be configured more securely.

SSH is most used protocol to access remote hosts on internet it provides a secure channel between client and server and can use different types of authentication and tunneling mechanisms. The SSH server uses by default the port TCP 22 and have a generic configuration file allowing a lot of configurations and integrations with other services.

Today I will try how to secure ssh server

secure ssh server
SSH Hardening

SSH Hardening

SSH server can be installed by downloading the package or using the package manager from your system, installing SSH isn’t the scope of this tutorial. But I can recommend you a few things to help you choose what is the best solution for you.

Using the package manager can be a fast way to install the service but do you trust the company who maintain the service? If you are using a Red Hat system with the official repos maybe you can feel more comfortable besides that you can’t guarantee the package wasn’t changed before.

The other option is compiling directly from source and verify the release hash to guaranty isn’t tampered by anyone.

After our service is installed

Verify SSH Version

In order to verify the server version run the command as root:

sshd -h

Secure SSH Server files of interest

The SSHD Service can be configured on a specific file, this file have all server settings used to configure and secure our box. There are other files used by the service but I will describe them latter.

/etc/ssh/sshd_config

Manage SSHD Service

The SSH demon can be managed by SystemD as most of the Linux servers, here I list some basic actions to mange the service.

Status

Verify SSH Server status.

systemctl status sshd

Start

Start SSH server service.

systemctl start sshd

Enable on Boot

Enable SSH server to start on boot:

systemctl enable sshd

Disable SSH v1

Go to the sshd config file and ensure only the number two is defined on ‘Protocol’ value. Many systems already remove the support to SSH v1 but many still support it. Red Hat remove support to SSH v1 on RHEL 7.4.

vi /etc/ssh/sshd_config
Protocol 2

Keep SSH Server Secure

Always update your SSH Server and disable the service features you don’t use

yum update sshd

Disable SSH X Forwarding

SSH X Forwarding can be a very useful to allow administrate GUI applications remotely, but it is recommended to disable it because most SSH exploits are to exploit X Windows System. Only use the X Windows System with SSH on a close environment.

vi /etc/ssh/sshd_config

Change SSH Server Port

Change the SSH server port is a good security practice to avoid automated scans using the most common ports used by the services. In order to change the server port run the following command:

The command will edit the sshd config file and change the port setting.

Change SSH Server Banner

Disable SSH Empty Passwords

Not only on SSH but on all protocols it is strongly advise to disable all users without passwords, but SSH server is smart enough to detected the users without passwords and don’t let them login.

To achieve this

Setup SSH Server Idle Timeout

Disable SSH Server Remote Root Login

Configure SSH SeLinux

SSH Server Logs

The SSH server logs can be found at /var/log/sshd unless it was defined to be on another folder.

Turn Off IPv6 or IPv4?

Why?

SSH RSA Authentication Passwordless

SSH Client Config

You can do it by hand or use My Optimize Script

SSH Exploits

SSH Exploits can be very dangerous, SSH protocol as we know is used to access remote servers encrypting all the data between client and server. A SSH exploit can compromise an entire company infrastructure when used by malicious hackers.

Final thoughts

Secure SSH Server or hardening it can be done following some security standards.

You do have any other configuration to add to this guide?

Left it on comments!

https://www.ssh.com/

Chrooting SSH Users

Leave a Reply