SSH configuration and security best practices

Any good systems administrator will agree that changing SSH configuration to add additional security is a good thing. However, novice sysadmins are nervous about implementing changes. In this article I share a list of configurations that can be used to tighten and enhance SSH security on a UNIX or Linux based system.

  • Restrict the root account to console access only:
    # vi /etc/ssh/sshd_config
    PermitRootLogin no
  • Create private-public key pairs using a strong passphrase and password protection for the private key (Use a higher bit rate for the encryption for more security, for example 4096):
    % ssh-keygen -t rsa -b 4096
  • Configure TCP wrappers to allow only selective remote hosts and deny undesirable hosts:
    # vi /etc/hosts.deny
    ALL: 192.168.100.101        # ip address of mrbadguy
  • On workstations or laptops, disable the SSH server by turning off the SSH service, and then removing the ssh server package, for example:
    # chkconfig sshd off
    # yum erase openssh-server
    # update-rc.d -f ssh remove
    # apt remove openssh-server
  • Restrict SSH access by controlling user access:
    # vi /etc/ssh/sshd_config
    AllowUsers mc84838 martinch mchurchi
    DenyUsers janedoe johndoe mrbadguy
  • Force SSH to nly use SSH Protocol 2:
    # vi /etc/ssh/sshd_config
    Protocol 2
  • Don't allow Idle sessions, and configure the Idle Log Out Timeout interval (for example set to 600 seconds = 10 minutes):
    # vi /etc/ssh/sshd_config
    ClientAliveInterval 600
    ClientAliveCountMax 0
  • Disable host-based authentication:
    # vi /etc/ssh/sshd_config
    HostbasedAuthentication no
  • Disable user .rhosts files:
    # vi /etc/ssh/sshd_config
    IgnoreRhosts yes
  • Restrict the available interfaces that SSH will listen on and bind to:
    # vi /etc/ssh/sshd_config
    ListenAddress 192.168.100.200
    ListenAddress 10.1.1.10
  • Confine SFTP users to their own home directories by using chroot SSHD:
    # vi /etc/ssh/sshd_config 
    ChrootDirectory /secure/home/%u
    X11Forwarding no
    AllowTcpForwarding no
  • Disable empty passwords:
    # vi /etc/ssh/sshd_config
    PermitEmptyPasswords no
  • Configure an increase in SSH logging verbosity:
    # vi /etc/ssh/sshd_config
    LogLevel DEBUG
  • Use a log analyzer such as logcheck, splunk, or logwatch to create logging reports.
  • Always keep the SSH packages and required libraries up to date on patches, for example:
    # yum update openssh-server openssh openssh-clients -y
    # apt update openssh-server openssh-client -y
  • SSH supports numerous, diverse methods and techniques for authentication that you can enable or disable. Within the /etc/ssh/sshd_config file, you make these configurations changes by entering the keyword listed for the authentication method followed by yes or no. Here are some of the common configuration changes:
    #RSAAuthentication yes        
    #PubkeyAuthentication yes        
    #RhostsRSAAuthentication no
    #HostbasedAuthentication no
    #RhostsRSAAuthentication and HostbasedAuthentication
    PasswordAuthentication yes
    ChallengeResponseAuthentication no
    #KerberosAuthentication no
    GSSAPIAuthentication yes
  • The keywords AllowedAuthentications and RequiredAuthentications within the sshd_config file dictate which authentication methods and configurations are used with SSH Protocol 2 only, and the syntax for them to allow password and public key authentication is as follows:
    # vi /etc/ssh/sshd_config
    AllowedAuthentications publickey, password
    RequiredAuthentications publickey, password