Hardening Your SSH Server | skybert.net

Hardening Your SSH Server

Here are some steps I recommend everyone doing when setting up a server which is reachable on the internet. Below each point, I list an example configuration applicable to Debian based systems. These settings, however, may apply to any Unix or Linux system, though, you just must make sure the paths correspond to your system.

Run it on a non standard port

This will make your server not show up in standard/shallow nmap scans and thus make script kiddies move on to another server to attack than yours. Of course, your server is still findable (and attackable), but it requires just that more effort from the attacker's side, so a lot of them will move on elsewhere if they're not destined to targert you.

# /etc/ssh/sshd_config

Port 9900

Do not allow root logins

I never stop being amazed of how many production systems that runs with with this setting enabled.

# /etc/ssh/sshd_config

PermitRootLogin no

Do not allow password logins

Password logins have two problems. One, people tend to use insecure passwords, or are too bothered changing them regularly. Secondly, every time the person logs on to your server, he/she is at the risk of a key logger snatching the password.

Instead, insist on using keys for logging on to your server. Only clients having their public key in the corresponding.ssh/authorized_keys can log in to your server.

# /etc/ssh/sshd_config

PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

Only accept SSHv2

I believe this is standard on all new systems these days, but just confirm that you do not accept SSHv1 connections as these are not considered secure anymore.

# /etc/ssh/sshd_config

Protocol 2

Put Clients That Fail a Log In in Jail

I recommend using fail2ban or similar for putting clients in jail for e.g. five minutes every when they fail a couple of login attemts. This makes brute force attacks so a lot more difficult.

# vim /etc/fail2bain/jail.conf

And configure the ssh section like:


enabled = true
port    = 9900
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

gmail torstein.k.johansen @ gmail ~ twitter @torsteinkrause ~