Hardening SSH Server

SSH  (Secure Shell) is already a secure protocol , these following tips which I have personally collected and tested . Hardening SSH makes it harder against people to get into SSH and do some nasty things. You should ensure that your ssh config . Generally it is located in /etc/ssh/sshd_config . This is a quick guide which I have written on securing SSH. Of course there are other serious guide out there. This is no fuzz , straight to the point guide (more after the jump)

Disable root login
This is really asking for trouble – its like putting a sign in front of your house which reads “Rob Me” . Never ever enable root login via SSH. If you want to do something as root , just simply use sudo. Its much more secure and easier.  Its easy , simply set

PermitRootLogin no

Restrict SSH logins with user/group access
If you have a bunch of people in your server , you may want to allow certain people or certain group to login via SSH. Personally , I do not do this for my server as generally there are only 2 users. If you have a huge number probably you want to do. For more information , read about it here (via CyberCiti) .There are a few configuration directives that can accomplish this type of behavior such as AllowUsers
Only allow connections from SSH v2
It is simply because the original SSH protocol is no longer deemed safe. Just only allow logins from SSH v2 Clients. You could do this by altering your config file to :-

Protocol 2

Change Default Number
Its because most of the port scanners generally scan from 1-1024 , of course there are others which scan ports like 2222 and other famous alternative SSH ports.If you use a non-standard SSH port number , you are reducing your probability from being picked on by some random scans. To do it simply change the default port number to something else , in this case , it is changed to 3999

Port 3999

Use Public/Private Key Instead of Password
Its simple , you generate a public-private key pair. The server would have your public key (after all its a public key) and you would have a private key. Whenever you login , instead of typing password you will present the server with your certificate ,server validates and bam you are in. But then this prevents from someone knowing your password. Of course it comes with its own disadvantages , if your client PC (whereby private keys are stored) becomes compromised , pretty much you are dead. Another downside if you have a huge number of users , you would have to generate public/private key and give it to each one of them .To learn more about setting up private/public key setup instead of password , read here.
Using Google authenticator (two-factor authentication) 
Its pretty much similar to using two-factor authentication with WordPress like what I have discussed earlier. Instead of just entering a password , you would have to enter your “authentication code”. Its much like how online banking works in Europe and in Malaysia , its similar to our PAC number . It makes it impossible for people just to know your password. They need to know your password code as well. This adds another layer of security. Some argue that PAM module itself is not secure. Its up to you if you want it or not. Personally I use it when I don’t have a certificate , so when no certificate is installed , my SSH server would ask to enter password/authenticator code. You can learn more about how to set it up here 
Disable Host-Based authentication & Reject Empty Password
Host-based authentication is simple , if the username of the client matches of the server , it simply allows the client to login without the need of password. I don’t see the point of this , so suppose if I am logged as ‘poochi’ in my MacBookPro and I have the same user in server , it simply allows me to SSH into my server without the need of password. Secondly , you should reject users with empty password. In fact you should not permit users to have empty password in first place

PermitEmptyPasswords no
HostbasedAuthentication no

Disable rhosts
You don’t need your SSH server to emulate old protocols . Just disable it
IgnoreRhosts yes
My Setup
Basically I allow password-less login if the server is being accessed by LAN. As for over the Internet , I enable Google’s two-factor authentication and password login. I also use fail2ban . It prevents brute-force attacks and the same time I can login to my server virtually anywhere as well. If needed I’ll post my ssh config (just post in comments if you need it)
Further reading
Oh yes , there are few things that you need to do as well to make it much secure and it varies from one configuration to another. Here are few recommended reading that I would encourage you to check it out if you would like to learn more

2 thoughts to “Hardening SSH Server”

  1. Hi Prasys,
    Thanks so much for this concise but helpful guide! Been asking around for tips on how to harden my SSH, and none of my other sources had these many great tips, especially the Google Authenticator! 😈
    Anybody know where the irc.osx86.hu Hackintosh channel went? As of the writing of this comment, I tried accessing it, but it came up w/ a bunch of Albanian channels… ❓ 🙁

  2. I’d like to see your config and maybe a redacted version of your iptables and fail2ban configuration if possible?

Leave a Reply

Your email address will not be published. Required fields are marked *