This guide provides best practices and hardening options for OpenSSH servers based on the CIS benchmarks. It's designed for Linux administrators and aims to improve server security.
CIS (Center for Internet Security) benchmarks are developed by experts and offer a robust framework for securing various platforms, including OpenSSH.
Ensure you have OpenSSH installed and running. Basic commands for setup on a Linux system include:
sudo apt install openssh-server
sudo systemctl status ssh
sudo systemctl start ssh
sudo systemctl enable ssh
/etc/ssh/sshd_configsudo stat /etc/ssh/sshd_config
sudo chown root:root /etc/ssh/sshd_config
sudo chmod og-rwx /etc/ssh/sshd_config
sudo find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \;
sudo find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \;
sudo find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \;
sudo grep ^Protocol /etc/ssh/sshd_config
Protocol 2
sudo sshd -T | grep loglevel
LogLevel VERBOSE
sudo sshd -T | grep x11forwarding
X11Forwarding no
sudo sshd -T | grep maxauthtries
MaxAuthTries 4
sudo sshd -T | grep permitrootlogin
PermitRootLogin no
sudo sshd -T | grep permitemptypasswords
PermitEmptyPasswords no
sudo sshd -T | grep ciphers
sudo sshd -T | grep -i "MACs"
sudo sshd -T | grep kexalgorithms
Ciphers ...
MACs ...
KexAlgorithms ...
sudo sshd -T | grep clientaliveinterval
sudo sshd -T | grep clientalivecountmax
ClientAliveInterval 300
ClientAliveCountMax 0
sudo sshd -T | grep logingracetime
LoginGraceTime 60
sudo sshd -T | grep allowusers
sudo sshd -T | grep allowgroups
sudo sshd -T | grep denyusers
sudo sshd -T | grep denygroups
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
sudo sshd -T | grep banner
Remediation**:
Banner /etc/issue.net
sudo sshd -T | grep -i usepam
UsePAM yes
sudo sshd -T | grep -i allowtcpforwarding
AllowTcpForwarding no
sudo sshd -T | grep -i maxstartups
MaxStartups 10:30:60
sudo sshd -T | grep -i maxsessions
MaxSessions 4
Regularly update your SSH server:
sudo apt update && sudo apt upgrade
Consider changing the default SSH port (22) to a non-standard port.
Implement Fail2Ban for additional protection against brute-force attacks.
Here is an example of how to configure the SSH server:
Port 8022
LogLevel INFO
PermitRootLogin no
...
ssh-keygen -t rsa -b 4096
Using ssh-copy-id or manually appending to ~/.ssh/authorized_keys.
Edit the SSH server configuration file:
sudo nano /etc/ssh/sshd_config
Ensure the following options are set:
PasswordAuthentication no
PubkeyAuthentication yes
sudo service ssh restart
Ensure the use of strong ciphers, MACs (Message Authentication Codes), and key exchange algorithms to protect against cryptographic attacks.
Audit:
sudo sshd -T | grep ciphers
sudo sshd -T | grep -i "MACs"
sudo sshd -T | grep kexalgorithms
Remediation:
Specify strong ciphers, MACs, and KexAlgorithms in /etc/ssh/sshd_config. For example:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org
Ensure key-based authentication works correctly.