SSH is a secure, encrypted replacement for common login services such as telnet, ftp, rlogin, rsh, and rcp . It is strongly recommended that sites abandon older clear-text login protocols and use SSH to prevent session hijacking and sniffing of sensitive data off the network.
Before you start with configuration of SSH, you need to generate keys as it is described here.
stat /etc/ssh/sshd_config
Run the following commands to set ownership and permissions on /etc/ssh/sshd_config:
chown root:root /etc/ssh/sshd_config
chmod og-rwx /etc/ssh/sshd_config
Description:
INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.
sshd -T | grep loglevel
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
LogLevel VERBOSE
Description:
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
X11Forwarding no
Description:
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
MaxAuthTries 4
Description:
The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no.
Rationale:
Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident.
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitRootLogin no
Description:
The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings.
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
PermitEmptyPasswords no
Description:
There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged:
AllowUsers
The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host.
AllowGroups
The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.
DenyUsers
The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of space separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host.
DenyGroups
The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of space separated group names. Numeric group IDs are not recognized with this variable.
Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows:
AllowUsers
AllowGroups
DenyUsers
DenyGroups
We recommend to restrict SSH access to specific IP addresses by using firewall. More secure solution is, if firewall is separated as hardware in front of the server. If that's not a case then you can use any firewall application.
If you use iptables then use as follows:
iptables -A INPUT -p tcp -s 12.34.56.78/16 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j REJECT
Of if you use UFW:
sudo ufw allow from 123.123.123.123 to any port 22 proto tcp
Description:
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network from their home machines.
Edit the /etc/ssh/sshd_config file to set the parameter as follows:
AllowTcpForwarding no
Description:
This variable limits the ciphers that SSH can use during communication.
Rationale:
Weak ciphers that are used for authentication to the cryptographic module cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Run the following command and verify that output does not contain any of the listed weak ciphers:
sshd -T | grep ciphers
Check if your SSH version contains any weak ciphers. If you want to define only strong ciphers you can modify /etc/ssh/sshd_config:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-
gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
If you have any further questions please feel free to contact us or leave a comment on our Twitter page.
