Secure Shell or SSH is a cryptographic network protocol used to securely log or access to remote systems. The most popular tool is the OpenSSH which provides a large suite of secure tunneling capabilities and different authentication methods.
Installation:
apt install openssh-server
If there’s any configuration changes on sshd configuration (/etc/ssh/sshd_config), reload the config to take effect.
systemctl reload sshd
You can use the “-T” options to check the validity of the configuration file
sshd -T
Best Security Practice Configuration for /etc/ssh/sshd_config
1. Root Login is disabled
-don’t permit login via SSH to use root, instead to access using individual account. Then if need to escalate to root access, use “sudo” or “su”
PermitRootLogin no
2. Disable Empty passwords
PermitEmptyPasswords no
3. Set the appropriate Log Level
-set to INFO to record login activity of users accessing the SSH.
LogLevel INFO
4. Client Alive Interval should be configured
-sets the timeout interval (in seconds) wherein sshd will send a message to request a response from client if no data has been received. Recommended settings is 5 minutes.
ClientAliveInterval 300
5. Client Alive Count Max should be configured
-sets the number of client alive messages which may be sent without receiving messages back from the client. Recommended setting is 3
ClientAliveCountMax 3
6. X11 Forwarding should be disabled
-if servers do not have GUI or X window system installed, this must be disabled to reduce potential risks
X11Forwarding no
7. Maximum Authentication Attempts should be limited
– recommended to set to 4 as maximum login authentication attempts per connection
MaxAuthTries 4
8. IgnoreRhosts should be enabled
– .rhosts and .shosts files will not be used in HostBasedAuthentication or RhostsRSAAuthentication
IgnoreRhosts yes
9. HostBasedAuthentication should be disabled
-this will disable to use .rhosts files
HostbasedAuthentication no
10. PermitUserEnvironment should be disabled
-this option should be disable to prevent users of bypassing security controls
PermitUserEnvironment no
11. Strong ciphers should be used
-the ciphers to be used for authentication should be strong.
Avoid weak ciphers like the Cipher Block Chaining (CBC) and 3 Des
aes128-cbc
aes192-cbc
aes256-cbc
3des-cbc
Instead,use strong ciphers like
aes256-ctr
aes192-ctr
aes128-ctr
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
12. Login Grace Time is set
-it sets the time allowed for successful authentication. Recommended setting is 1 minute (60 secs)
LoginGraceTime 60
13. Warning Banner is configured
– it will set to show banner or contents to the user before authentication is allowed. You can set the /etc/issue.net as the banner
Banner /etc/issue.net
14. Pluggable Authentication Module (PAM) is enabled
– enables PAM authentication
UsePAM yes
15. Allow TCP Forwarding is disabled
-it is used in SSH for tunneling application ports, so it is advisable to disable to reduce security risks and backdoors
AllowTcpForwarding no
16. Max Sessions is set
– it sets the maximum number of open sessions allowed from a given connection. Recommended setting is not more than 10.
MaxSessions 10
17. MaxStartups is configured
-it sets the maximum number of unauthenticated connections.
MaxStartups 10:30:100
18. Access is limited
– limit users and group that can access the system.
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
19. Strong key exchange algorithms should be used
– keys are exchanged during communication between the sender and receiver
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Avoid weak key exchange algorithms such as:
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
20. Strong Message Authentication Codes (MAC) algorithm should be used
–Â strong MAC algorithm should be used in SSH communication
MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
Avoid using weak MAC algorithms such as:
hmac-md5
hmac-md5-96
hmac-ripemd160 hmac-sha1
hmac-sha1-96
umac-64@openssh.com
umac-128@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com