SSH security hardening is an important measure to protect servers from unauthorized access and attacks. Through proper configuration and best practices, SSH server security can be significantly improved.
Basic Security Configuration
1. Change Default Port
# /etc/ssh/sshd_config Port 2222 # Change to non-standard port
Advantages:
- Reduces automated scanning and brute force attacks
- Reduces log noise
- Increases attack difficulty
2. Disable Root Login
# /etc/ssh/sshd_config PermitRootLogin no
Best Practices:
- Use regular user login and elevate privileges via sudo
- Limit sudo permission scope
- Regularly review sudo configuration
3. Disable Password Authentication
# /etc/ssh/sshd_config PasswordAuthentication no PubkeyAuthentication yes
Implementation Steps:
- Configure public key authentication
- Test public key login
- Disable password authentication
- Restart SSH service
4. Restrict Login Users
# /etc/ssh/sshd_config # Only allow specific users AllowUsers user1 user2 # Only allow specific groups AllowGroups sshusers # Deny specific users DenyUsers guest test # Deny specific groups DenyGroups nogroup
Advanced Security Configuration
1. Multi-Factor Authentication
# /etc/ssh/sshd_config AuthenticationMethods publickey,keyboard-interactive # Or use Google Authenticator AuthenticationMethods publickey,keyboard-interactive:pam
Configure Google Authenticator:
# Install sudo apt-get install libpam-google-authenticator # Configure for user google-authenticator # Configure PAM # /etc/pam.d/sshd auth required pam_google_authenticator.so
2. Connection Limits
# /etc/ssh/sshd_config # Maximum authentication attempts MaxAuthTries 3 # Maximum sessions MaxSessions 2 # Maximum start sessions MaxStartups 10:30:100 # Login timeout LoginGraceTime 60
3. Network Security
# /etc/ssh/sshd_config # Only listen on specific addresses ListenAddress 192.168.1.100 ListenAddress 127.0.0.1 # Disable port forwarding AllowTcpForwarding no GatewayPorts no # Disable X11 forwarding X11Forwarding no # Disable agent forwarding AllowAgentForwarding no
4. Encryption Algorithm Optimization
# /etc/ssh/sshd_config # Use secure encryption algorithms Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr # Use secure key exchange algorithms KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256 # Use secure MAC algorithms MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com # Disable insecure algorithms # Ciphers -3des-cbc,-aes128-cbc,-aes192-cbc,-aes256-cbc
Access Control
1. TCP Wrappers
# /etc/hosts.allow sshd: 192.168.1.0/24 : ALLOW sshd: 10.0.0.0/8 : ALLOW # /etc/hosts.deny sshd: ALL : DENY
2. Firewall Configuration
# Using iptables iptables -A INPUT -p tcp --dport 2222 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 2222 -j DROP # Using ufw ufw allow from 192.168.1.0/24 to any port 2222 ufw deny 2222
3. Fail2Ban Integration
# Install Fail2Ban sudo apt-get install fail2ban # Configure SSH monitoring # /etc/fail2ban/jail.local [sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600
Logging and Monitoring
1. Verbose Logging Configuration
# /etc/ssh/sshd_config LogLevel VERBOSE # Log login information SyslogFacility AUTHPRIV
2. Log Analysis
# View login failures grep "Failed password" /var/log/auth.log # View successful logins grep "Accepted" /var/log/auth.log # View abnormal logins grep "Invalid user" /var/log/auth.log
3. Real-time Monitoring
# Monitor SSH connections in real-time tail -f /var/log/auth.log | grep sshd # Monitor active connections watch "ss -tlnp | grep :2222"
Key Management
1. Key Rotation
# Regularly generate new keys ssh-keygen -t ed25519 -f ~/.ssh/new_key -C "user@hostname" # Update public keys on server ssh-copy-id -i ~/.ssh/new_key.pub user@server # Remove old keys rm ~/.ssh/old_key
2. Key Permissions
# Set correct file permissions chmod 700 ~/.ssh chmod 600 ~/.ssh/config chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub chmod 600 ~/.ssh/authorized_keys
3. Key Revocation
# Remove specific key from authorized_keys sed -i '/old_key/d' ~/.ssh/authorized_keys # Or edit manually nano ~/.ssh/authorized_keys
Regular Maintenance
1. System Updates
# Regularly update SSH software sudo apt-get update sudo apt-get upgrade openssh-server # Check current version ssh -V
2. Security Audit
# Check SSH configuration sshd -T | grep -i "permitroot\|passwordauthentication" # Check supported algorithms ssh -Q cipher ssh -Q kex ssh -Q mac # Scan with nmap nmap --script ssh2-enum-algos -p 2222 hostname
3. Backup Configuration
# Backup SSH configuration sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup # Backup keys tar -czf ssh_keys_backup.tar.gz ~/.ssh/
Best Practices Summary
- Principle of Least Privilege: Grant only necessary access permissions
- Defense in Depth: Multiple layers of security controls
- Regular Updates: Keep software and configuration up to date
- Monitoring and Auditing: Continuous monitoring and regular audits
- Incident Response: Develop security incident response plans
SSH security hardening is an ongoing process that requires adjustment and optimization based on specific environments and threat models.