Basic OpenSSH Hardening

Basic setup for OpenSSH hardening on a new box.

Intro

The OpenSSH daemon, known as sshd, has config options we can set in /etc/ssh/sshd_config to help us secure it. Changes to this file can be tested first in test mode with sudo sshd -T.

PermitRootLogin no

Limit max number of auth attempts for session

MaxAuthTries 3

Disable empty password logins

PermitEmptyPasswords no

Disable other auth methods

ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

Disable x11 forwarding

X11Forwarding no

Disable passing custom environment vars

PermitUserEnvironment no

Disable other tunneling and fowarding options

AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

Allow users based on user/ip

AllowUsers [user or *]@ip

Once the options are set, run the test mode with sudo sshd -T. If everything looks good, reload sshd with sudo systemctl restart ssh.

Thanks for reading! In a future article we’ll dive into more OpenSSH hardening options.

Intro#

Disable root SSH login#

Limit max number of auth attempts for session#

Disable empty password logins#

Disable other auth methods#

Disable x11 forwarding#

Disable passing custom environment vars#

Disable other tunneling and fowarding options#

Allow users based on user/ip#