SSH has been around for some time now. But when you install SSH on your favourite OS, it comes with a bunch of defaults enabled which aren’t great. It’s easy today to make SSH just a little bit more secure.
The first and easiest change you can make to your SSH install is to disable password logins. Make sure you can log in to your server with some keys before going ahead!
Now lets make an edit to the
/etc/ssh/sshd_config file. Search for the
KbdInteractiveAuthentication line and change the value to
no. In a lot of guides, you will see this key named
ChallengeResponseAuthentication. This name is a deprecated alias. What this will do is disable keyboard-interactive authentication. I think we can all agree that the new name covers the meaning much better.
Next, find the key
PasswordAuthentication. Again, the default value is
yes, but we’ll be setting it to
The above changes to your SSH daemon disable password authentication. Don’t forget to restart the daemon with something like
systemctl reload sshd.service.
Using keys is safer because it is much harder to lose a key than a password. In addition, a key has a lot more entropy. So with this change, you are already ahead of the pack! Good job.
Remove weak prime numbers
The following change is removing insecure moduli. I think ‘insecure’ is too strong of a word to use since these moduli are not shown to be insecure, but the expectation is that they will soon. The client and the server use these moduli to negotiate a secure key. In theory, by removing smaller moduli, it could be that the client and server can not come to an agreement, and a secure connection can not be established. Here’s a bunch of magic you need to execute:
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe mv /etc/ssh/moduli.safe /etc/ssh/moduli
So what is happening here? The
mv command is easy. The first command looks for lines in
/etc/ssh/moduli, which on the fifth line have a value bigger than 3071 and writes those in the
Allow strong cyphers only
In a similar vein, we are going to allow only the super-secure cyphers.
Create a new file
/etc/ssh/sshd_config.d/ssh_hardening.conf. Add the following to the file:
KexAlgorithms curve25519-sha256,email@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,aes256-ctr,aes192-ctr,aes128-ctr MACs email@example.com,firstname.lastname@example.org,email@example.com HostKeyAlgorithms ssh-ed25519,firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,rsa-sha2-256,rsa-sha2-512,email@example.com,firstname.lastname@example.org
That’s a mouthful. This effectively restricts SSH to use only MAC’s, cyphers, and key exchange algorithms, which people way more intelligent than I deem secure.
Note that you need to load this file in your
sshd_config file. That isn’t always standard, so better to check. The file should have a line like
Include /etc/ssh/sshd_config.d/*.conf. If it doesn’t, add it!
Obviously, I didn’t come up with all these changes. The credit goes to the authors of SSH Audit and various other sources out there. Do visit their site, as they have a neat scanner to determine if your SSH daemon is up to snuff!
Often you will read people recommend that you change the port SSH is listening on. Of course, this doesn’t make it more secure. But what it does do is that these annoying scanners stop filling up your logs.
Disallowing root login is also frequently recommended. I believe this has limited merit in our current landscape since 95% of the time, the user you log in with has sudo privileges. Then it adds no extra security. But you should really judge this for your own situation.
Don’t forget to reload that secure beast of an SSH daemon after these changes!