Advanced SSH Hardening Best Practices
- EN
- PT
Table of Contents
As you could see on my last post about fail2ban, the SSH service is a popular target for brute force attacks, we really should take our time to improve our server’s security.
On top of iptables rules and fail2ban jails, we have a couple parameters that we can fine-tune on our servers to make another layer of protection.
#
SSH authentication methods
By default, SSH allows for password authentication for all users except root, which is a good starting point, but we can improve this behaviour.
##
Key authentication
The first step you need to take is to disable password authentication and use SSH keys exclusively. This will greatly reduces the risk of brute force attacks since SSH keys are harder to break.
I will not cover this setup, since there are a lot of great tutorials available on the internet, check this one from Github.
Another step is to disable root login, because root is present on all GNU/Linux servers by default and this makes this user an easier target.
#PermitRootLogin prohibit-password
PermitRootLogin no
##
Two-Factor Authentication (2FA)
If you would like to have yet another level of security, you can implement 2FA with SSH using Google Authenticator.
##
Disable unnused authentication methods
By default, OpenSSH server comes with more authentication methods that you problaly are not using enabled by default. You can disable them to reduce the attack surface of your server:
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
#
Improve SSH Encryption and Protocol Settings
By following those guides you can disable vulnerable authentication algorithms and prioritize strong ones (AES-256-GCM, chacha20-poly1305).
When you finish those tunings, check with the ssh-audit tool.
#
Restricting SSH Access
On top of iptables rules, the /etc/ssh/sshd_config
file can apply restrictions based on users, groups and/or source IPs.
For example, to whitelist by IP, you can add the following:
# Restrict to a specific IP address
AllowUsers *@192.0.0.2
# Restrict using CIDR notation
AllowUsers *@192.0.0.0/24
# Restrict a specific user to a specific IP address
Match User alice
AllowUsers alice@192.0.0.2