-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This post (unlike my other two) is not going to be a ranty post about something that annoys me. This in truth is more of a reference guide on how to harden OpenSSH. I'm not going to do a massive paragraph on what is ssh, if you reading this you likely already know - however for background, ssh stands for secure shell, and is one of the most popular ways to administer Linux (and sometimes windows) servers. Because it is so popular, it is often the first point of call when a hacker is looking for an attack vector. ## STEP 1 - Creating a backup SSH is one of the easier things to modify within Linux, however, it is always best practice to create a backup file incase you mess it up. You can do this using the following command ```sh sudo cp /etc/ssh/sshd_config ~/sshd_config.bkup ``` ## STEP 2 - Basic hardening You are now going to want to access the original file, ill be using vim in this but you can swap that out for your prefered editor ``` sudo vim /etc/ssh/sshd_config ``` On a very basic level, you are going to want to change the following settings to these parameters - - `AddressFamily inet` : Makes it so your server only accepts ipv4 ssh connections - - `PermitRootLogin No` : This prevents the user from directly logging in as root, which is considered best practise - - `MaxAuthTries 3` : This makes it so the user can only attempt 3 password entries before being booted, helping to slow down brute force attacks - - `LoginGraceTime 20` : This sets it so the user only has 20s to log in before being booted - - `PasswordAuthentication no` : Makes it so you authenticate with keys rather than passwords, making the server significantly more secure - - `PermitEmptyPasswords no` : This prevents logins if a users password is set to a blank or empty value SSH also can let the user authenticate with other methods other than passwords (which we have already disabled) and keys. Given in 90% of cases we will not be using that, it makes sense to disable these to lower our attack surface - - `KerberosAuthentication no` - - `GSSAPIAuthentication no` There are a few other options you can disable if they are not being used on your server - - `X11Forwarding no` : Prevents the display of remote graphics over ssh - - `PermitUserEnviroment no` : Prevents client from passing in customer environment variables. If you do this make sure to `#` out any references to `AcceptEnv` in the config file - - `AllowAgentForwarding no` - - `AllowTcpForwarding no` - - `PermitTunnel no` Finally, you can disable the ssh banner that displays when you connect using the following - - `DebianBanner no` You reload the shhd settings using the following ``` sudo service sshd reload ``` ## STEP 2 - Change your f**king port Look, this is *always* needed - In truth if you already did what I suggested above then your SSH is pretty secure. This being said it is considered best practice to change your ssh port away from the standard 22 to something random and high. I will be using the example 1234 in this *but* I would strongly advise against this, just use a random number generator and that will give you one to use. To do this first thing you want to do is go into your `sshd_config` file we were editing in the last step. Change the following parameter - - `Port 1234` Reload your ssh and now your port should be different. From now on your going to have to put `-p 1234` at the end when you ssh into a server. Now we're going to install a firewall, specifically the UFW. You *can* use IP tables, but in general, I like to apply the golden rule of KISS (Keep It Simple Stupid) - Don't overcomplicate it. On a Debian-based server, we would use ```sh sudo apt install ufw ``` By default, your firewall isn't going to be up you can check that with the following command ```sh sudo ufw status ``` and it should come back with `Status: inactive`. Next were going to add out new ssh port using ``` sudo ufw allow 1234 ``` Now your going to bring your server back up with ``` sudo ufw enable ``` Now before you log out, just try and log in from another terminal to make sure the firewall hasn't kicked you out - if it lets you in then you're set -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEVR2DXk8VSeBYxT6vvUo0nUeoF5wFAmVZUeoACgkQvUo0nUeo F5wpiRAAkUf4DON06YnpaUJfl1wEfIlCDbDETDWKn4H+XVlhZqGT8gdmUdFVaH48 5zsgxg7+MWVhhyk6/zN2ZmKvNHjwB8uo9vaw2EUXmzbU0qa1g29iX9Dfh0gWDRzh 6MgK7mkEclaRtnyhZUZkapI921sXqDMV+f+56sOfrlts9aeaNUiAMhQfwuexZVNL z4UyJm3jxIgg3jlxovt+mwGs5tI/U7kWuJiuXxBM/QmAhGlP0Pu12Kl/kwTc2fqS UjHiX/smhp6s28BfgbOqymCk8TdhrYgyT1eUi2/zI3AURlvrK4Vtu+wHzB6l6xDB b3MR4d4M7ADN3wqtPZdxChg4CuGCwp7OXJy1VimWbS7ikQ/S0XURe0jnAFjLMIVm Yyo+//Fou5tLPUEp+4T0Bc3wW7uhG0N87PfJfUooWV3sA0y4d/+JQZYPknKgLrnF fVnacVAsWXBkob2Re06tdlMJ/FYxsmo8FegF0rbpesMXveKUcUfkfCpf/STGGsaS fLxx1LUe5ToEF3o+R6hplOkPWuBs+GyYEU8e3sbbj/RlAgkqSP83pZsUqRbO6XkS vJa2pi+egbpA8ekFnal5J1cWEpu9u4RJYJtNkDQUiFxvWoNz9hD6Qv8ln37rawyz xTzyGU/bnR2iZ0en8CvwTu3Ta4snEEcJzc58e/NbR6JXFDkahQ8= =CXsF -----END PGP SIGNATURE-----