Extreme SSH Hardening

Results from a Mozilla SSH Observatory Scan

SSH (Secure Shell) is a great tool, but if you ever expose SSH to the internet, you’ll soon discover a multitude of internet bots and bad actors pummeling your server.

There is a clever way of mitigating this attack vector passively. Some of you might know this already, but the idea is to configure SSH to maximum You can audit the SSH security of a website if the standard port 22 is exposed using The Mozilla Observatory Tool.

Warning: This will break legacy systems. Here’s an example of a /etc/ssh/sshd_config file in a nutshell.

text 
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com

LogLevel VERBOSE
SyslogFacility AUTHPRIV
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO

UsePAM yes
PrintMotd no
Compression no
PermitRootLogin no
GSSAPIAuthentication no
PasswordAuthentication no
AuthenticationMethods publickey
ChallengeResponseAuthentication no
AuthorizedKeysFile .ssh/authorized_keys

A configuration like this prevents almost 99% of attackers from reaching or getting pass the negotiation stage. The most you’ll see in your system log is the following.

shell 
sshd: Connection from x.x.x.x port x on x.x.x.x port 22
sshd: Connection closed by x.x.x.x port x [preauth]
sshd: Connection from x.x.x.x port x on x.x.x.x port 22
sshd: Connection closed by x.x.x.x port x [preauth]

What did we do? First we let SSH support the most modern cipher, key exhange algorithm, and MAC (message authentication code). This is what kills legacy systems and bots.

text 
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com
MACs hmac-sha2-512-etm@openssh.com

Let it also log everything, including every file modified when you use SSH to mount a remote file system.

text 
LogLevel VERBOSE
SyslogFacility AUTHPRIV
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO

Force public key authentication only and deny root login.

text 
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey
ChallengeResponseAuthentication no

If you really need root login you can set prohibit-password.

text 
PermitRootLogin prohibit-password

Or activate this setting more strictly using match patterns.

text 
Match Address 192.168.1.*,10.0.3.1
  PermitRootLogin prohibit-password
10 February 2019 — Written
14 January 2020 — Updated
Thedro Neely — Creator
extreme-ssh-hardening.md — Article

More Content

Openring

Web Ring

Comments

References

  1. https://thedroneely.com/git/
  2. https://thedroneely.com/
  3. https://thedroneely.com/posts/
  4. https://thedroneely.com/projects/
  5. https://thedroneely.com/about/
  6. https://thedroneely.com/contact/
  7. https://thedroneely.com/abstracts/
  8. https://ko-fi.com/thedroneely
  9. https://thedroneely.com/tags/ssh/
  10. https://thedroneely.com/tags/sysadmin/
  11. https://thedroneely.com/posts/extreme-ssh-hardening/#isso-thread
  12. https://thedroneely.com/posts/rss.xml
  13. https://thedroneely.com/images/extreme-ssh-hardening.png
  14. https://observatory.mozilla.org/
  15. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-1de807a
  16. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-2fcc452
  17. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-cbacee4
  18. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-0a50e49
  19. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-acdd3af
  20. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-213ba66
  21. https://thedroneely.com/posts/extreme-ssh-hardening/#code-block-8548ba5
  22. https://www.thedroneely.com/posts/extreme-ssh-hardening.md
  23. https://thedroneely.com/archives/projects/
  24. https://thedroneely.com/posts/ssh-port-forwarding/
  25. https://thedroneely.com/posts/tweaking-goaccess-for-analytics/
  26. https://git.sr.ht/~sircmpwn/openring
  27. https://drewdevault.com/2022/11/12/In-praise-of-Plan-9.html
  28. https://drewdevault.com/
  29. https://mxb.dev/blog/the-indieweb-for-everyone/
  30. https://mxb.dev/
  31. https://www.taniarascia.com/simplifying-drag-and-drop/
  32. https://www.taniarascia.com/
  33. https://thedroneely.com/posts/extreme-ssh-hardening#isso-thread
  34. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-1de807a
  35. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-2fcc452
  36. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-cbacee4
  37. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-0a50e49
  38. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-acdd3af
  39. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-213ba66
  40. https://thedroneely.com/posts/extreme-ssh-hardening#code-block-8548ba5
  41. https://thedroneely.com/posts/adding-headroom-with-javascript/
  42. https://thedroneely.com/posts/keeping-up-with-open-source/
  43. https://thedroneely.com/posts/webrings-with-openring/
  44. https://thedroneely.com/posts/nixos-pins-and-needles/
  45. https://thedroneely.com/posts/writing-nixos-modules-and-switching-to-cgit/
  46. https://thedroneely.com/posts/running-nixos-linux-containers/
  47. https://drewdevault.com/2022/09/16/Open-source-matters.html
  48. https://mxb.dev/blog/make-free-stuff/
  49. https://thedroneely.com/sitemap.xml
  50. https://thedroneely.com/index.json
  51. https://thedroneely.com/resume/
  52. https://gitlab.com/tdro
  53. https://github.com/tdro
  54. https://codeberg.org/tdro
  55. https://thedroneely.com/analytics
  56. https://thedroneely.com/posts/extreme-ssh-hardening#
  57. https://creativecommons.org/licenses/by-sa/2.0/
  58. https://thedroneely.com/git/thedroneely/thedroneely.com
  59. https://opensource.org/licenses/GPL-3.0
  60. https://www.thedroneely.com/
  61. https://thedroneely.com/posts/extreme-ssh-hardening/#