SSH Hardening

If you use Linux you most likely use SSH. SSH allows you to make connections without a password.

Enable passwordless Authentication

PubkeyAuthentication yes

Disable Password Authentication

PasswordAuthentication no

Disable Empty Passwords

Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed.

PermitEmptyPasswords no

PermitRootLogin no

Defult SSH Port

Port 12345

Allow Users and Groups**

AllowUsers user1 user2
AllowGroups group1 group2

Disable X11 Forwarding

X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that.

X11Forwarding no

Disable Gateway Ports

GatewayPorts no

Disable PermitUserEnvironment

PermitUserEnvironment no

Disable Weak Cryptographic Algorithims

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

Ciphers [email protected],[email protected],aes256-ctr
KexAlgorithms [email protected],ecdh-sha2-nistp521
MACs [email protected],hmac-sha2-512****

You can test support algorithims using nmap
nmap -sV --script ssh2-enum-algos -p PORT TARGET

Regenerate Host Keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable Host Keys

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Disable Small Diffie-Hellman Key Sizes

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

Protocol 2

PreviousGeneral OS Hardening (Ubuntu 20.04 LTS)NextStarting the Node

Last updated 4 years ago

hashtagEnable passwordless Authentication

hashtagDisable Password Authentication

hashtagDisable Empty Passwords

hashtagDisable Root Login

hashtagDefult SSH Port

hashtagAllow Users and Groups**

hashtagDisable X11 Forwarding

hashtagDisable Gateway Ports

hashtagDisable PermitUserEnvironment

hashtagDisable Weak Cryptographic Algorithims

hashtagRegenerate Host Keys

hashtagDisable Host Keys

hashtagDisable Small Diffie-Hellman Key Sizes

hashtagDisable SSHv1