SSH Hardening

If you use Linux you most likely use SSH. SSH allows you to make connections without a password.

Enable passwordless Authentication

PubkeyAuthentication yes

Disable Password Authentication

PasswordAuthentication no

Disable Empty Passwords

Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed.

PermitEmptyPasswords no

PermitRootLogin no

Defult SSH Port

Port 12345

Allow Users and Groups**

AllowUsers user1 user2
AllowGroups group1 group2

Disable X11 Forwarding

X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that.

X11Forwarding no

Disable Gateway Ports

GatewayPorts no

Disable PermitUserEnvironment

PermitUserEnvironment no

Disable Weak Cryptographic Algorithims

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512****

You can test support algorithims using nmap
nmap -sV --script ssh2-enum-algos -p PORT TARGET

Regenerate Host Keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable Host Keys

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Disable Small Diffie-Hellman Key Sizes

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

Protocol 2

PreviousGeneral OS Hardening (Ubuntu 20.04 LTS)NextStarting the Node

Last updated 3 years ago