Security Hardening is a standard thing that is rarely done by most system administrators. As SSH is the standard for remote terminal access due to its simplicity encryption and wide use, the most basic thing to do as a first step of security improve on fresh installed GNU / Linux.
This is few of the things I'm aware of that improves sshd service security.
1. Strengthen OpenSSH encryption cyphers supported (usually to enable ones known with stronger encryption opts:
2. Disabling remote root login access
3. Make User sessions exprit /setting client timeout values etc.
Default expiry interval is 5 minutes, reducing this to smth like 3 minutes is usually a good, this is done with below 2 opts.
ClientAliveInterval – Sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client.
ClientAliveCountMax – Sets the limit of how long a client are allowed to stay unresponsive before being disconnected.
4. Require always password on login (do not check for SSH Key auth)
– Some refer to allow only Authentication with keys also for security, if you're one of those use:
5. Disable XForwarding
Most servers do not need to have Xorg or any kind of GUI environment, as well as you don't want to allow SSH Tunneling etc.
6. Disable GSSAPIAuthentication
This option is for Single Sign on (SSO) authentication with a password or kerberos ticket exchange.
Some corporations do use it due to their complex environments to save people the hassle to use different separte passwords with the SSO) ..
– If for some reason you need this feature enabled
7. Disable DNS lookup on remote machine (disable attempt of sshd to resolve remote hostname)
Below is the overall good configuration to improve a bit OpenSSH security, hence make sure /etc/ssh/sshd_config have it.
## AddressFamily inet
##PasswordAuthentication no # yes for Isaac 1 server only
# PasswordAuthentication no # yes for Isaac 1 server only
# GSSAPI options
## ClientAliveInterval 86400
## UseDNS no
This conifg is working on most recent SSH versions as of 2020 and should work fine on most recent RHELs / Debian / SuSEs / Fedora / Ubuntu and virtually anything from the multiple Linux OS based devices bundled with SSH Daemon.
After sshd_config is editted test is for configuration errors.
root@linux:~# sshd -t
/etc/ssh/sshd_config line 15: Deprecated option UsePrivilegeSeparation
Deprecated options can be safely ignore but it is good practice to clear them up, they might occur if you have updated the server for multiple years due to the fact in newer OpenSSH releases some of the older configuration values were removed.
To load new made config reload sshd
root@linux:~# systemctl restart sshd
root@linux:~# systemctl status sshd
● sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fr 2020-03-06 15:47:48 CET; 1 months 1 days ago
Main PID: 4162 (sshd)
└─4162 /usr/sbin/sshd -D
Of course keeping a good set of security is a question of always keeping up to date OpenSSH server, so besides this nice values make sure you are frequently patching sshd. Perhaps I'm missing something so if you stumble this article and you see I miss some sshd security tuning option share it.
More helpful Articles
Tags: disable root login, gssapiauthentication, hardening, linux?, openssh, security, ssh, ssh login session expiry, sshd