HxHippy

SSH Security Hardening

Secure SSH configuration with key authentication, fail2ban, and best practices.

Last updated: 2025-01-15

SSH Security Hardening

Securing SSH access to prevent unauthorized access to your servers.

Generate SSH Keys

# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"

# Generate RSA key (4096 bit minimum)
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

SSHD Configuration

/etc/ssh/sshd_config

# Protocol and Port
Port 22
Protocol 2

# Authentication
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

# Disable empty passwords
PermitEmptyPasswords no

# Disable X11 and agent forwarding
X11Forwarding no
AllowAgentForwarding no

# Limit users
AllowUsers admin deploy
# Or use groups
# AllowGroups sshusers

# Session limits
MaxAuthTries 3
MaxSessions 3
LoginGraceTime 30

# Client alive settings
ClientAliveInterval 300
ClientAliveCountMax 2

# Secure ciphers and algorithms
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected]

# Logging
LogLevel VERBOSE
SyslogFacility AUTH

# Disable unused features
UsePAM yes
UseDNS no
PrintMotd no

Apply Configuration

# Test configuration
sudo sshd -t

# Restart SSH
sudo systemctl restart sshd

Fail2ban Configuration

Install

sudo apt install fail2ban

/etc/fail2ban/jail.local

[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiport

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24h

Start Fail2ban

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status sshd

# Unban IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

SSH Config for Clients

~/.ssh/config

Host *
    AddKeysToAgent yes
    IdentitiesOnly yes
    HashKnownHosts yes

Host production
    HostName server.example.com
    User admin
    Port 22
    IdentityFile ~/.ssh/id_ed25519

Host bastion
    HostName bastion.example.com
    User jump
    IdentityFile ~/.ssh/id_ed25519

Host internal
    HostName 10.0.0.10
    User admin
    ProxyJump bastion

Two-Factor Authentication

Install Google Authenticator

sudo apt install libpam-google-authenticator

Configure PAM

# /etc/pam.d/sshd
auth required pam_google_authenticator.so

Update SSHD Config

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Setup User

google-authenticator

Port Knocking

knockd Configuration

# /etc/knockd.conf
[options]
    UseSyslog

[openSSH]
    sequence = 7000,8000,9000
    seq_timeout = 5
    command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags = syn

[closeSSH]
    sequence = 9000,8000,7000
    seq_timeout = 5
    command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    tcpflags = syn

Client Usage

knock server.example.com 7000 8000 9000 && ssh [email protected]

Audit SSH Access

# Check login attempts
grep "sshd" /var/log/auth.log | tail -50

# List active sessions
who

# Check SSH key fingerprints
ssh-keygen -lf ~/.ssh/authorized_keys

Firewall Rules

# Allow SSH from specific network
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Best Practices

  1. Use key authentication - Disable passwords
  2. Disable root login - Use sudo
  3. Change default port - Reduces noise
  4. Rate limiting - With fail2ban
  5. Regular audits - Check logs and access
intermediate SSH Updated 2025-01-15
  • ssh
  • security
  • hardening
  • key authentication
  • fail2ban
  • secure shell