Secure SSH Server
Secure SSH Server on a Linux system can be a simple task or a pain in the ass. Today I will show you how to secure an SSH server, the focus here isn’t explain what is the SSH protocol but how it can be configured securely.
SSH is most used protocol to access remote hosts on internet it provides a secure channel between client and server and can use different types of authentication and tunneling mechanisms. The SSH server uses by default the port TCP 22 and have a generic configuration file allowing a lot of integrations with other services.
Today I will try how to secure ssh server implementing network security best practices
Manage SSHD Service
The SSH demon can be managed by SystemD as most of the Linux servers, here I list some basic actions to mange the service.
Verify SSH Server status.
systemctl status sshd
Start SSH server service.
systemctl start sshd
Enable on Boot
Enable SSH server to start on boot:
systemctl enable sshd
Hardening SSH Server Config
SSH server can be installed by downloading the package or using the package manager from your system, installing SSH isn’t the scope of this tutorial. But I can recommend you a few things to help you choose what is the best solution for you.
Using the package manager can be a fast way to install the service but do you trust the company who maintain the service? If you are using a Red Hat system with the official repos maybe you can feel more comfortable besides that you can’t guarantee the package wasn’t changed before.
The other option is compiling directly from source and verify the release hash to guaranty isn’t tampered by anyone.
Keep SSH Server Secure
Always update your SSH Server and disable the service features you don’t use
yum update sshd
Verify SSH Version
In order to verify the server version run the command as root:
Secure SSH Server files of interest
The SSHD Service can be configured on a specific file, this file have all server settings used to configure and secure our box. There are other files used by the service but I will describe them latter.
Disable SSH v1
Go to the sshd config file and ensure only the number two is defined on ‘Protocol’ value. Many systems already remove the support to SSH v1 but many still support it. Red Hat remove support to SSH v1 on RHEL 7.4.
Disable SSH X Forwarding
SSH X Forwarding can be a very useful to allow administrate GUI applications remotely, but it is recommended to disable it because most SSH exploits are to exploit X Windows System. Only use the X Windows System with SSH on a close environment.
Change SSH Server Port
Change the SSH server port is a good security practice to avoid automated scans using the most common ports used by the services. In order to change the server port run the following command:
Ceck SSH_Config Permissions
ls -la /etc/ssh/ssh_config
The command will edit the sshd config file and change the port setting.
Change SSH Server Banner
Disable Batch Mode
Disable SSH Empty Passwords
Not only on SSH but on all protocols it is strongly advise to disable all users without passwords, but SSH server is smart enough to detected the users without passwords and don’t let them login.
To achieve this
Setup SSH Server Idle Timeout
Configure SeLinux for SSHd
Optimize SSH Server Logs
The SSH server logs can be found at /var/log/sshd unless it was defined to be on another folder.
Turn Off IPv6
SSH Secure Authentication
Disable SSH Server Remote Root Login
Disable Weak MAC Algorithms
Open the /etc/ssh/sshd_config
Find mcas option and add the following:
macs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected]
Hardening SSH Client Config
You can do it by hand or use My Optimize Script
SSH Exploits can be very dangerous, SSH protocol as we know is used to access remote servers encrypting all the data between client and server. A SSH exploit can compromise an entire company infrastructure when used by malicious hackers.
Secure SSH Server or hardening it can be done following some security standards.
You do have any other configuration to add to this guide?
Left it on comments!