SSH Hardening

If you use Linux you most likely use SSH. SSH allows you to make connections without a password.

Enable passwordless Authentication

PubkeyAuthentication yes

Disable Password Authentication

PasswordAuthentication no

Disable Empty Passwords

Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed.

PermitEmptyPasswords no

Disable Root Login

PermitRootLogin no

Defult SSH Port

Port 12345

Allow Users and Groups**

AllowUsers user1 user2
AllowGroups group1 group2

Disable X11 Forwarding

X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that.

X11Forwarding no

Disable Gateway Ports

GatewayPorts no

Disable PermitUserEnvironment

PermitUserEnvironment no

Disable Weak Cryptographic Algorithims

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512****

You can test support algorithims using nmap

nmap -sV --script ssh2-enum-algos -p PORT TARGET

Regenerate Host Keys

rm /etc/ssh/ssh_host_*
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""

Disable Host Keys

#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Disable Small Diffie-Hellman Key Sizes

awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe
mv /etc/ssh/moduli.safe /etc/ssh/moduli

Disable SSHv1

Protocol 2

Last updated