Configure Hardened SSH Server
Upon installed, SSH is the number 1 target for penetration. Hence, one must harden its server to ensure its resistance for unwanted penetrations. This section guides you on how to harden the SSH server.
Listen to Specific Interface
Since this is a critical network communicator, one should set it to listen only to single interface. There are many ways to do it.
Using hosts.allow and host.deny
You can use the /etc/hosts.allow
and /etc/hosts.deny
to severely control the the traffic.
For /etc/hosts.deny
, you can add the following to blacklist all connections:
sshd : ALL
Then, for /etc/hosts.allow, you can add each IP address accordingly.
sshd : IP-Address1, IP-Address2, IP-Address3
sshd : 33.*.*.*
sshd : 66.66.*.*
Using /etc/ssh/sshd_config ListenAddress Keyword
Inside /etc/ssh/sshd_config
, you should look out for ListenAddress
for specifying the list of acceptable IP addresses. This way, the server rejects all other servers, filtering them out from logging into SSH server.
ListenAddress 192.168.0.1
ListenAddress 192.168.0.2
ListenAddress 192.168.0.X
Obstruct Standard SSH Port
Another important security action (security by obscurity) is not to use the standard port 22. This way, it introduces some works for attacker to sniff all ports in order to find the actual ones. To change port, edit /etc/ssh/sshd_config
and locate port
keyword. Then change it to other numbers. Example:
Port 43594
Brain-Dead Configurations
These are the important configurations existed for unknown reasons but should be configured in all the cases.
Prohibits Root Account Login
This is brain-dead where root account should not be logged in directly via SSH. To disable said login, edit /etc/ssh/sshd_config
and locate PermitRootLogin
keyword. Set it to no
explicitly.
PermitRootLogin no
Prohibits Empty Passwords Login
This is brain-dead where empty password should not be permitted at all. To disable said login, edit /etc/ssh/sshd_config
and locate PermitEmptyPasswords
keyword. Set it to no
explicitly.
PermitEmptyPasswords no
SSH Protocol 2
This is another brain-dead configuration where SSH should be configured to use Protocol 2 instead of 1 due to security vulnerability. To do that, simply add the following into /etc/ssh/sshd_config
:
Protocol 2
Disable Unused Services
SSH are used across multiple services. If you do not use them, you should disable them explicitly inside /etc/ssh/sshd_config
:
KerberosAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
RhostsRSAAuthentication no
RhostsAuthentication no
User Management
The next thing is to configure user managements.
Allow Specific Users
If you need to only permits specific users to connect SSH server, you can set it in /etc/ssh/sshd_config
using AllowUsers
keyword. Once done, list out all the users you want to allow to connect. Example, for local user alex, ref, user@hoestname:
AllowUsers alex ref me@somewhere ...
Deny Specific Users
If you need to only permits specific users to connect SSH server, you can set it in /etc/ssh/sshd_config
using AllowUsers
keyword. Once done, list out all the users you want to allow to connect. Example, for local user alex, ref, user@hoestname:
DenyUsers alex ref me@somewhere ...
Allow Specific User Group
If you need to only permits specific user groups to connect SSH server, you can set it in /etc/ssh/sshd_config
using AllowGroups
keyword. Once done, list out all the users you want to allow to connect. Example, for local group wheel
and admin
:
AllowGroups wheel admin ...
Deny Specific User Group
If you need to only permits specific user groups to connect SSH server, you can set it in /etc/ssh/sshd_config
using DenyGroups
keyword. Once done, list out all the users you want to allow to connect. Example, to deny users
and visitors
:
DenyGroups users visitors ...
Authentication Mechanics
Once done, it is now working on the authentication mechanism.
Enable/Disable Password Authentication
Password authentication (authorize by user's password) is entirely up to the deployed network. It is okay if every SSH allowed users practice safe inside a local area network, then it's safe to enable it.
If the server is exposed to public, it is always best to disable password authentication instead to prevent getting brute-forced.
To enable/disable password authentication, simple add the following statement into /etc/ssh/sshd_config
with yes
being enabled, no
being disabled:
PasswordAuthentication no
Delegate to PAM
SSH authentication can be delegated to PAM user authentications. This way, one only manages the user authentication in a single location: PAM. To use PAM, make sure the following is inside /etc/ssh/sshd_config
:
UsePAM yes
In this case, you should only edit /etc/pam.d/ssh
to configure the authentication mechanism. For example, to authenticate only the list of users from a file (e.g. /etc/loginusers
), you can use pam_listfile
or pam_wheel
:
auth required pam_listfile.so sense=allow onerr=fail item=user file=/etc/loginusers
Jail Users
If the SSH server is open to the Internet, all allowed users (exception to administrator with good SSH practices) should be jailed in order not to let any users messes with the root system.
That's all for hardening SSH server.