SSH Hardening
If you use Linux you most likely use SSH. SSH allows you to make connections without a password.
Enable passwordless Authentication
PubkeyAuthentication yesDisable Password Authentication
PasswordAuthentication noDisable Empty Passwords
Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed.
PermitEmptyPasswords noDisable Root Login
PermitRootLogin noDefult SSH Port
Port 12345Allow Users and Groups**
AllowUsers user1 user2
AllowGroups group1 group2Disable X11 Forwarding
X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that.
X11Forwarding noDisable Gateway Ports
GatewayPorts noDisable PermitUserEnvironment
PermitUserEnvironment noDisable Weak Cryptographic Algorithims
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256Ciphers [email protected],[email protected],aes256-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],hmac-sha2-512****You can test support algorithims using nmap
nmap -sV --script ssh2-enum-algos -p PORT TARGET
Regenerate Host Keys
rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""Disable Host Keys
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_keyDisable Small Diffie-Hellman Key Sizes
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduliDisable SSHv1
Protocol 2Last updated
Was this helpful?