> For the complete documentation index, see [llms.txt](https://certified.cryptobounty.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://certified.cryptobounty.org/guides/ssh-hardening.md). # SSH Hardening If you use Linux you most likely use SSH. SSH allows you to make connections without a password. ## Enable passwordless Authentication ``` PubkeyAuthentication yes ``` ## Disable Password Authentication ``` PasswordAuthentication no ``` ## Disable Empty Passwords Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed. ``` PermitEmptyPasswords no ``` ## Disable Root Login ``` PermitRootLogin no ``` ## Defult SSH Port ``` Port 12345 ``` ## Allow Users and Groups\*\* ``` AllowUsers user1 user2 AllowGroups group1 group2 ``` ## Disable X11 Forwarding X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that. ``` X11Forwarding no ``` ## Disable Gateway Ports ``` GatewayPorts no ``` ## Disable PermitUserEnvironment ``` PermitUserEnvironment no ``` ## Disable Weak Cryptographic Algorithims ``` Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 ``` ``` Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512**** ``` > You can test support algorithims using nmap > > ``` > nmap -sV --script ssh2-enum-algos -p PORT TARGET > ``` ## Regenerate Host Keys ``` rm /etc/ssh/ssh_host_* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" ``` ## Disable Host Keys ``` #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key ``` ## Disable Small Diffie-Hellman Key Sizes ``` awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli ``` ## Disable SSHv1 ``` Protocol 2 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://certified.cryptobounty.org/guides/ssh-hardening.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.