# SSH Hardening If you use Linux you most likely use SSH. SSH allows you to make connections without a password. ## Enable passwordless Authentication ``` PubkeyAuthentication yes ``` ## Disable Password Authentication ``` PasswordAuthentication no ``` ## Disable Empty Passwords Some user accounts are created without passwords, administrators of linux machines can create standard users without passwords. SSH does not prevent empty passwords from being allowed. ``` PermitEmptyPasswords no ``` ## Disable Root Login ``` PermitRootLogin no ``` ## Defult SSH Port ``` Port 12345 ``` ## Allow Users and Groups\*\* ``` AllowUsers user1 user2 AllowGroups group1 group2 ``` ## Disable X11 Forwarding X11 Forwarding allows anyone to tunnel GUI applications with SSH. You probably dont want that. ``` X11Forwarding no ``` ## Disable Gateway Ports ``` GatewayPorts no ``` ## Disable PermitUserEnvironment ``` PermitUserEnvironment no ``` ## Disable Weak Cryptographic Algorithims ``` Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 ``` ``` Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512**** ``` > You can test support algorithims using nmap > > ``` > nmap -sV --script ssh2-enum-algos -p PORT TARGET > ``` ## Regenerate Host Keys ``` rm /etc/ssh/ssh_host_* ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" ``` ## Disable Host Keys ``` #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key ``` ## Disable Small Diffie-Hellman Key Sizes ``` awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli ``` ## Disable SSHv1 ``` Protocol 2 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://certified.cryptobounty.org/guides/ssh-hardening.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.