SSH (Secure Shell) is a powerful tool for remote access, but like any door to your system, it needs to be properly secured. This guide explains key configurations to make your SSH server more robust and protect against common threats.
UPGRADING TO SSHV2 FOR BETTER SECURITY
SSH comes in two main versions: SSH1 and SSH2. SSH2 is the more modern and secure choice, offering better encryption and protection against vulnerabilities. Always aim to use SSH2.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line Protocol and ensure it's set to:
Protocol 2
TRACKING ACTIVITY WITH VERBOSE LOGGING
Knowing who logs in and out of your system is crucial for security. Verbose logging provides detailed records, which are invaluable if you ever need to investigate a security incident.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line LogLevel and set it to:
LogLevel VERBOSE
DISABLING X11 FORWARDING (IF NOT NEEDED)
X11 Forwarding allows you to run graphical applications remotely over SSH. While convenient, it can also create security risks. If you don't need graphical access, it's safer to disable it.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line X11Forwarding and set it to:
X11Forwarding no
LIMITING LOGIN ATTEMPTS (MAXAUTHTRIES)
To protect against "brute force" attacks, where attackers try many passwords, you can limit the number of times someone can attempt to log in. This significantly reduces the chances of a successful attack.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line MaxAuthTries and set it to a low number, such as:
MaxAuthTries 4
IGNORING OLD AUTHENTICATION FILES (IGNORERHOSTS)
Older systems sometimes used .rhosts or .shosts files for authentication. These methods are less secure. Disabling them forces users to rely on more secure password or key-based authentication.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line IgnoreRhosts and set it to:
IgnoreRhosts yes
DISABLING HOST-BASED AUTHENTICATION
Host-based authentication is another older method that can be risky. Disabling it ensures that SSH relies on more secure public key or password-based authentication.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line HostbasedAuthentication and set it to:
HostbasedAuthentication no
PREVENTING DIRECT ROOT LOGIN (PERMITROOTLOGIN)
Logging in directly as the 'root' user (the super-administrator) is generally discouraged. Instead, log in with a regular user account and then use tools like sudo or su to gain root privileges. This creates a clearer audit trail and enhances security.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line PermitRootLogin and set it to:
PermitRootLogin no
BLOCKING EMPTY PASSWORDS (PERMITEMPTYPASSWORDS)
Accounts without passwords are a massive security risk. Ensure your SSH server is configured to prevent anyone from logging in with an empty password.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line PermitEmptyPasswords and set it to:
PermitEmptyPasswords no
LIMITING USER ENVIRONMENT SETTINGS (PERMITUSERENVIRONMENT)
Allowing users to set certain environment variables through SSH could potentially be misused to bypass security. It's safer to disable this feature.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line PermitUserEnvironment and set it to:
PermitUserEnvironment no
USING STRONG ENCRYPTION (CIPHERS)
Ciphers are the algorithms that encrypt your SSH communication. Using strong, modern ciphers like aes128-ctr, aes192-ctr, and aes256-ctr helps protect against eavesdropping and "man-in-the-middle" attacks.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the line Ciphers and set it to:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
SETTING IDLE SESSION TIMEOUTS
Leaving SSH sessions open indefinitely can be a security risk. Setting a timeout automatically disconnects idle sessions, preventing unauthorized access if a workstation is left unattended.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Find the lines ClientAliveInterval and ClientAliveCountMax and
set them to:
ClientAliveInterval 300 (5 minutes)
ClientAliveCountMax 0 (disconnect after interval without response)
RESTRICTING ACCESS TO SPECIFIC USERS AND GROUPS
You can precisely control who can access your system via SSH. This is a critical security measure to limit potential entry points.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Use one or more of these parameters:
AllowUsers <username1> <username2>(only specified users can log in)AllowGroups <groupname1> <groupname2>(only users in specified groups can log in)DenyUsers <username1> <username2>(specified users cannot log in)DenyGroups <groupname1> <groupname2>(users in specified groups cannot log in)
DISPLAYING A LOGIN BANNER
A login banner displays a message to users before they authenticate. This can be used to provide legal notices or warnings.
HOW TO CONFIGURE:
Edit the /etc/ssh/sshd_config file.
Create a text file (e.g., /etc/issue.net) with your desired message.
Set the Banner parameter to the path of your banner file:
Banner /etc/issue.net
SECURING SSH CONFIGURATION FILE PERMISSIONS
The sshd_config file contains sensitive settings, so it must be protected. Only the root user should own it, and it should only be writable by root.
HOW TO CONFIGURE: From the command line,
run:
# chown root:root /etc/ssh/sshd_config
# chmod 644 /etc/ssh/sshd_config