10 steps to properly secure SSH server

2022-05-15
Mirsad

SSH is a secure, encrypted replacement for common login services such as telnet, ftp, rlogin, rsh, and rcp . It is strongly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network.

Before you start with configuration of SSH, you need to generate keys as it is described here.

1. Ensure permissions are configured

stat /etc/ssh/sshd_config

Run the following commands to set ownership and permissions on /etc/ssh/sshd_config:

chown root:root /etc/ssh/sshd_config

chmod og-rwx /etc/ssh/sshd_config

2. Ensure SSH LogLevel is appropriate

Description:

INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.

sshd -T | grep loglevel

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

LogLevel VERBOSE

3. Ensure SSH X11 forwarding is disabled

Description:

The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

X11Forwarding no

4. Ensure SSH MaxAuthTries is set to 4 or less

Description:

The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

MaxAuthTries 4

5. Ensure SSH root login is disabled

Description:

The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.

Rationale:

Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident.

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitRootLogin no

6. Disable Empty Passwords

Description:

The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

PermitEmptyPasswords no

7. Ensure SSH access is limited

Description:

There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:

AllowUsers

The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host.

AllowGroups

The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.

DenyUsers

The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host.

DenyGroups

The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.

Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:

AllowUsers
AllowGroups
DenyUsers
DenyGroups

8. Ensure SSH access is firewalled

We recommend to restrict SSH access to specific IP addresses by using firewall. More secure solution is, if firewall is separated as hardware in front of the server. If that's not a case then you can use any firewall application.

If you use iptables then use as follows:

iptables -A INPUT -p tcp -s 12.34.56.78/16 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j REJECT

Of if you use UFW:

sudo ufw allow from 123.123.123.123 to any port 22 proto tcp

9. Ensure SSH AllowTcpForwarding is disabled

Description:

SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines.

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

AllowTcpForwarding no

10. Use only strong ciphers

Description:

This variable limits the ciphers that SSH can use during communication.

Rationale:

Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.

Run the following command and verify that output does not contain any of the listed weak ciphers:

sshd -T | grep ciphers

Check if your SSH version contains any weak ciphers. If you want to define only strong ciphers you can modify /etc/ssh/sshd_config:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-
gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

If you have any further questions please feel free to contact us or leave a comment on our Twitter page.

Alvosec is Block Producer for Proton

Download WebAuth.com wallet and earn daily staking rewards.

vote for us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
ALVOSEC
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram