Security is the first priority for server management. Although there were some vulnerabilities, OpenSSH is fairly secure by default. There are still some steps left that can be improved. In this post, I'll show you how to secure SSH Server.
Preparation
Backup the configuration file
Before we start making changes to our configuration, let's make a backup.
cp /etc/ssh/sshd_config /root/sshd_config
Deploy in small steps
While it makes sense to do a full deployment of your new SSH configuration to all systems, you might want to be careful. One example is that some older SSH clients can't use the newer key types. So have a look at the oldest Linux distributions that are used to get an idea on compatibility issues.
Use the SSH configuration test
If you make changes to your SSH configuration, it makes sense to restart the service. I strongly recommend to always check your configuration (sshd_config) first. This can be done by using the test mode flag. This additional step ensures the syntax and options are correct before you end up with a nonfunctioning service.
This command should not return any text or errors.
sshd -t
SSH security settings
Disable X11 Forwarding
X11Forwarding no
The X11 protocol was never built with security in mind. As it opens up channel back to the client, the server could send malicious commands back to the client. To protect clients, disable X11Forwarding when it is not needed.
Disable rhosts
IgnoreRhosts yes
While not common anymore, rhosts was a weak method to authenticate systems. It defines a way to trust another system simply by its IP address. By default, the use of rhosts is already disabled. Make sure to check if it really is.
Disable empty passwords
PermitEmptyPasswords no
Accounts should be protected and users should be accountable. For this reason, the usage of empty passwords should not be allowed. This can be disabled with the PermitEmptyPasswords option, which is the default.
Maximum authentication attempts
MaxAuthTries 3
To protect against brute-force attacks on the password of a user, limit the number of attempts. This can be done with the MaxAuthTries setting.
Public key authentication
PubkeyAuthentication yes
PasswordAuthentication no
Instead of using a normal password-based login, a better way is using public key authentication. Keys are considered much safer and less prone to brute-force attacks. Disable PasswordAuthentication to force users using keys.
Disable root login
PermitRootLogin no
It is best practice not to log in as the root user. Use a normal user account to initiate your connection instead, together with sudo. Direct root logins may result in bad accountability of the actions performed by this user account.
Set SSH protocol
Protocol 2
If you are running an older system, version 1 of the SSH protocol might still be available. This version has weaknesses and should no longer be used. Since version 7.0 of OpenSSH, protocol 1 is automatically disabled during compile time. If your version is older than that, enforce the protocol version: