This article was written under the influence of the much-respected expert Anton Tsvet.
This article is intended for those who already understand that simply turning on a server and running a program on it is not a difficult task. However, making that program secure and resilient against external attacks in production is a challenge of an entirely different level. Here we’ll talk about SSH security and how to protect your server from potential threats.
Proper SSH configuration
First of all, /etc/ssh/sshd_config and /etc/ssh/ssh_config are different files.
The file /etc/ssh/sshd_config is responsible for configuring the ssh server so that one can connect TO that server.
The file /etc/ssh/ssh_config (or ~/.ssh/config) on your personal computer, on the other hand, governs which parameters YOU want to use when connecting to a server.
- You can use ansible to verify a correct configuration from here.
- Use ED25519 SSH keys.
- Disable password access.
- Limit the number of login attempts**:** Use the
MaxAuthTriesparameter. - Disable root access.
- Create an sshusers group.
- Create separate users from the keys in /root/.ssh/authorized_keys.
- Add the created users to the sshusers group.
- In the config /etc/ssh/sshd_config add
AllowGroup sshusers.
- The resulting config file:
########## Binding ##########
# SSH server listening address and port
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
# only listen to IPv4
#AddressFamily inet
# only listen to IPv6
#AddressFamily inet6
########## Features ##########
# accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# disallow ssh-agent forwarding to prevent lateral movement
AllowAgentForwarding no
# prevent TCP ports from being forwarded over SSH tunnels
# **please be aware that disabling TCP forwarding does not prevent port forwarding**
# any user with an interactive login shell can spin up his/her own instance of sshd
AllowTcpForwarding no
# prevent StreamLocal (Unix-domain socket) forwarding
AllowStreamLocalForwarding no
# disables all forwarding features
# overrides all other forwarding switches
DisableForwarding yes
# disallow remote hosts from connecting to forwarded ports
# i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
GatewayPorts no
# prevent tun device forwarding
PermitTunnel no
# suppress MOTD
PrintMotd no
# disable X11 forwarding since it is not necessary
X11Forwarding no
########## Authentication ##########
# permit only the specified users to login
# AllowUsers sshtunnel
# permit only users within the specified groups to login
AllowGroups sshusers
# uncomment the following options to permit only pubkey authentication
# be aware that this will disable password authentication
# - AuthenticationMethods: permitted authentication methods
# - PasswordAuthentication: set to no to disable password authentication
# - UsePAM: set to no to disable all PAM authentication, also disables PasswordAuthentication when set to no
#AuthenticationMethods publickey
PasswordAuthentication no
# PAM authentication enabled to make password authentication available
# remove this if password authentication is not needed
UsePAM no
# challenge-response authentication backend it not configured by default
# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
ChallengeResponseAuthentication no
# set maximum authenticaion retries to prevent brute force attacks
MaxAuthTries 3
# disallow connecting using empty passwords
PermitEmptyPasswords no
# prevent root from being logged in via SSH
PermitRootLogin no
# enable pubkey authentication
PubkeyAuthentication yes
########## Cryptography ##########
# explicitly define cryptography algorithms to avoid the use of weak algorithms
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
# see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,sntrup761x25519-sha512@openssh.com
########## Connection Preferences ##########
# number of client alive messages sent without client responding
ClientAliveCountMax 2
# send a keepalive message to the client when the session has been idle for 300 seconds
# this prevents/detects connection timeouts
ClientAliveInterval 300
# compression before encryption might cause security issues
Compression no
# prevent SSH trust relationships from allowing lateral movements
IgnoreRhosts yes
# log verbosely for addtional information
LogLevel VERBOSE
# allow a maximum of two multiplexed sessions over a single TCP connection
MaxSessions 2
# enforce SSH server to only use SSH protocol version 2
# SSHv1 contains security issues and should be avoided at all costs
# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
# specified anyways to ensure this configuration file's compatibility
# with older versions of OpenSSH server
Protocol 2
# override default of no subsystems
# path to the sftp-server binary depends on your distribution
#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# let ClientAliveInterval handle keepalive
TCPKeepAlive no
# disable reverse DNS lookups
UseDNS no
# allow scanners to login via password
Match User scanners
PasswordAuthentication yes/etc/ssh/sshd_config
Sources: