SSH Security Hardening
Securing SSH access to prevent unauthorized access to your servers.
Generate SSH Keys
# Generate Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Generate RSA key (4096 bit minimum)
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@serverSSHD Configuration
/etc/ssh/sshd_config
# Protocol and Port
Port 22
Protocol 2
# Authentication
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
# Disable empty passwords
PermitEmptyPasswords no
# Disable X11 and agent forwarding
X11Forwarding no
AllowAgentForwarding no
# Limit users
AllowUsers admin deploy
# Or use groups
# AllowGroups sshusers
# Session limits
MaxAuthTries 3
MaxSessions 3
LoginGraceTime 30
# Client alive settings
ClientAliveInterval 300
ClientAliveCountMax 2
# Secure ciphers and algorithms
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected]
# Logging
LogLevel VERBOSE
SyslogFacility AUTH
# Disable unused features
UsePAM yes
UseDNS no
PrintMotd noApply Configuration
# Test configuration
sudo sshd -t
# Restart SSH
sudo systemctl restart sshdFail2ban Configuration
Install
sudo apt install fail2ban/etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = iptables-multiport
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 24hStart Fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Check status
sudo fail2ban-client status sshd
# Unban IP
sudo fail2ban-client set sshd unbanip 192.168.1.100SSH Config for Clients
~/.ssh/config
Host *
AddKeysToAgent yes
IdentitiesOnly yes
HashKnownHosts yes
Host production
HostName server.example.com
User admin
Port 22
IdentityFile ~/.ssh/id_ed25519
Host bastion
HostName bastion.example.com
User jump
IdentityFile ~/.ssh/id_ed25519
Host internal
HostName 10.0.0.10
User admin
ProxyJump bastionTwo-Factor Authentication
Install Google Authenticator
sudo apt install libpam-google-authenticatorConfigure PAM
# /etc/pam.d/sshd
auth required pam_google_authenticator.soUpdate SSHD Config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveSetup User
google-authenticatorPort Knocking
knockd Configuration
# /etc/knockd.conf
[options]
UseSyslog
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = synClient Usage
knock server.example.com 7000 8000 9000 && ssh [email protected]Audit SSH Access
# Check login attempts
grep "sshd" /var/log/auth.log | tail -50
# List active sessions
who
# Check SSH key fingerprints
ssh-keygen -lf ~/.ssh/authorized_keysFirewall Rules
# Allow SSH from specific network
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROPBest Practices
- Use key authentication - Disable passwords
- Disable root login - Use sudo
- Change default port - Reduces noise
- Rate limiting - With fail2ban
- Regular audits - Check logs and access
- ssh
- security
- hardening
- key authentication
- fail2ban
- secure shell