Top 20 Recommended SSH Configuration on Redhat or CentOS Linux

Secure Shell or SSH is a cryptographic network protocol used to securely log or access to remote systems. The most popular tool is the OpenSSH which provides a large suite of secure tunneling capabilities and different authentication methods.

Installation:

dnf install openssh-server

yum install openssh-server

If there’s any configuration changes on sshd configuration (/etc/ssh/sshd_config), reload the config to take effect.

systemctl reload sshd

You can use the “-t” options to check the validity of the configuration file. If no error, it will not display anything

sshd -t

Best Security Practice Configuration for /etc/ssh/sshd_config

1. Root Login is disabled
-don’t permit login via SSH to use root, instead to access using individual account. Then if need to escalate to root access, use “sudo” or “su”

PermitRootLogin no

2. Disable Empty passwords

PermitEmptyPasswords no

3. Set the appropriate Log Level
-set to INFO to record login activity of users accessing the SSH.

LogLevel INFO

4. Client Alive Interval should be configured
-sets the timeout interval (in seconds) wherein sshd will send a message to request a response from client if no data has been received. Recommended settings is 5 minutes.

ClientAliveInterval  300

5. Client Alive Count Max should be configured
-sets the number of client alive messages which may be sent without receiving messages back from the client. Recommended setting is 3

ClientAliveCountMax 3

6. X11 Forwarding should be disabled
-if servers do not have GUI or X window system installed, this must be disabled to reduce potential risks

X11Forwarding no

7. Maximum Authentication Attempts should be limited
– recommended to set to 4 as maximum login authentication attempts  per connection

MaxAuthTries 4

8. IgnoreRhosts should be enabled
– .rhosts and .shosts files will not be used in HostBasedAuthentication or RhostsRSAAuthentication

IgnoreRhosts yes

9. HostBasedAuthentication should be disabled
-this will disable to use .rhosts files

HostbasedAuthentication no

10. PermitUserEnvironment should be disabled
-this option should be disable to prevent users of bypassing security controls

PermitUserEnvironment no

11. Strong ciphers should be used
-the ciphers to be used for authentication should be strong.

Avoid weak ciphers like the Cipher Block Chaining (CBC) and 3 Des
aes128-cbc
aes192-cbc
aes256-cbc
3des-cbc

Instead,use strong ciphers like
aes256-ctr
aes192-ctr
aes128-ctr

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

12. Login Grace Time is set
-it sets the time allowed for successful authentication. Recommended setting is 1 minute (60 secs)

LoginGraceTime 60

13.  Warning Banner is configured
– it will set to show banner or contents to the user before authentication is allowed.  You can set the /etc/issue.net as the banner

Banner /etc/issue.net

14.  Pluggable Authentication Module (PAM) is enabled
– enables PAM authentication

UsePAM yes

15.  Allow TCP Forwarding is disabled
-it is used in SSH for tunneling application ports, so it is advisable to disable to reduce security risks and backdoors

AllowTcpForwarding no

16.  Max Sessions is set
– it sets the maximum number of open sessions allowed from a given connection.  Recommended setting is not more than 10.

MaxSessions 10

17.  MaxStartups is configured
-it sets the maximum number of unauthenticated connections.

MaxStartups 10:30:100

18. Access is limited
– limit users and group that can access the system.

AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

19.  Strong key exchange algorithms should be used
– keys are exchanged during communication between the sender and receiver

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Avoid weak key exchange algorithms such as:
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1

20.  Strong Message Authentication Codes (MAC) algorithm should be used
–  strong MAC algorithm should be used in SSH communication

MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

Avoid using weak MAC algorithms such as:
hmac-md5
hmac-md5-96
hmac-ripemd160 hmac-sha1
hmac-sha1-96
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

About the author

Free Linux

View all posts

Leave a Reply