🖋️
certificationportal
  • Cryptobounty Certification Program
  • Certifications
    • Cryptobounty Certified Pool Operator
  • Micro-Certifications
    • Node Security
    • Key Management
    • Node Configuration
    • Node Management
    • Node Monitoring
  • Guides
    • General OS Hardening (Ubuntu 20.04 LTS)
    • SSH Hardening
    • Starting the Node
    • Up and running the Systemd
    • Building the Node
    • Managing Hot Keys
    • Operating with Cold Keys
    • Key Security
    • Node Monitoring with Prometheus
    • Displaying Node Metrics with Grafana
    • Using RTView
    • Cardano-Cli Basics
    • 3rd Party Monitoring Tools (gLiveview, etc.)
    • Chrony Configuration
    • Firewall Configurations
    • Configuration, Topology, Genesis
Powered by GitBook
On this page
  • Enable passwordless Authentication
  • Disable Password Authentication
  • Disable Empty Passwords
  • Disable Root Login
  • Defult SSH Port
  • Allow Users and Groups**
  • Disable X11 Forwarding
  • Disable Gateway Ports
  • Disable PermitUserEnvironment
  • Disable Weak Cryptographic Algorithims
  • Regenerate Host Keys
  • Disable Host Keys
  • Disable Small Diffie-Hellman Key Sizes
  • Disable SSHv1

Was this helpful?

  1. Guides

SSH Hardening

If you use Linux you most likely use SSH. SSH allows you to make connections without a password.

Enable passwordless Authentication

PubkeyAuthentication yes

Disable Password Authentication

PasswordAuthentication no

Disable Empty Passwords

Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed.

PermitEmptyPasswords no

Disable Root Login

PermitRootLogin no

Defult SSH Port

Port 12345

Allow Users and Groups**

AllowUsers user1 user2
AllowGroups group1 group2

Disable X11 Forwarding

X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that.

X11Forwarding no

Disable Gateway Ports

GatewayPorts no

Disable PermitUserEnvironment

PermitUserEnvironment no

Disable Weak Cryptographic Algorithims

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512****

You can test support algorithims using nmap

nmap -sV --script ssh2-enum-algos -p PORT TARGET

Regenerate Host Keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable Host Keys

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Disable Small Diffie-Hellman Key Sizes

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

Protocol 2
PreviousGeneral OS Hardening (Ubuntu 20.04 LTS)NextStarting the Node

Last updated 3 years ago

Was this helpful?