This post (unlike my other two) is not going to be a ranty post about something that annoys me. This in truth is more of a reference guide on how to harden OpenSSH. I’m not going to do a massive paragraph on what is ssh, if you reading this you likely already know - however for background, ssh stands for secure shell, and is one of the most popular ways to administer Linux (and sometimes windows) servers. Because it is so popular, it is often the first point of call when a hacker is looking for an attack vector.
STEP 1 - Creating a backup
SSH is one of the easier things to modify within Linux, however, it is always best practice to create a backup file incase you mess it up. You can do this using the following command
sudo cp /etc/ssh/sshd_config ~/sshd_config.bkup
STEP 2 - Basic hardening
You are now going to want to access the original file, ill be using vim in this but you can swap that out for your prefered editor
sudo vim /etc/ssh/sshd_config
On a very basic level, you are going to want to change the following settings to these parameters
AddressFamily inet: Makes it so your server only accepts ipv4 ssh connectionsPermitRootLogin No: This prevents the user from directly logging in as root, which is considered best practiseMaxAuthTries 3: This makes it so the user can only attempt 3 password entries before being booted, helping to slow down brute force attacksLoginGraceTime 20: This sets it so the user only has 20s to log in before being bootedPasswordAuthentication no: Makes it so you authenticate with keys rather than passwords, making the server significantly more securePermitEmptyPasswords no: This prevents logins if a users password is set to a blank or empty value
SSH also can let the user authenticate with other methods other than passwords (which we have already disabled) and keys. Given in 90% of cases we will not be using that, it makes sense to disable these to lower our attack surface
KerberosAuthentication noGSSAPIAuthentication no
There are a few other options you can disable if they are not being used on your server
X11Forwarding no: Prevents the display of remote graphics over sshPermitUserEnviroment no: Prevents client from passing in customer environment variables. If you do this make sure to#out any references toAcceptEnvin the config fileAllowAgentForwarding noAllowTcpForwarding noPermitTunnel no
Finally, you can disable the ssh banner that displays when you connect using the following
DebianBanner no
You reload the shhd settings using the following
sudo service sshd reload
STEP 2 - Change your f**king port
Look, this is always needed - In truth if you already did what I suggested above then your SSH is pretty secure. This being said it is considered best practice to change your ssh port away from the standard 22 to something random and high. I will be using the example 1234 in this but I would strongly advise against this, just use a random number generator and that will give you one to use.
To do this first thing you want to do is go into your sshd_config file we were editing in the last step. Change the following parameter
Port 1234
Reload your ssh and now your port should be different. From now on your going to have to put -p 1234 at the end when you ssh into a server.
Now we’re going to install a firewall, specifically the UFW. You can use IP tables, but in general, I like to apply the golden rule of KISS (Keep It Simple Stupid) - Don’t overcomplicate it. On a Debian-based server, we would use
sudo apt install ufw
By default, your firewall isn’t going to be up you can check that with the following command
sudo ufw status
and it should come back with Status: inactive.
Next were going to add out new ssh port using
sudo ufw allow 1234
Now your going to bring your server back up with
sudo ufw enable
Now before you log out, just try and log in from another terminal to make sure the firewall hasn’t kicked you out - if it lets you in then you’re set