HxHippy

SSH Security Hardening

Secure SSH configuration and best practices for remote access.

Last updated: 2025-01-15

SSH Security Best Practices

SSH is the primary remote access method for Linux servers. Proper configuration is essential.

Secure SSH Configuration

/etc/ssh/sshd_config

# Protocol and Port
Port 2222                          # Non-standard port (security through obscurity)
Protocol 2                         # SSH2 only

# Authentication
PermitRootLogin no                 # Never allow root login
MaxAuthTries 3                     # Limit auth attempts
PubkeyAuthentication yes           # Enable key auth
PasswordAuthentication no          # Disable password auth
PermitEmptyPasswords no            # No empty passwords
ChallengeResponseAuthentication no # Disable for most setups

# User/Group Restrictions
AllowUsers admin deploy            # Only these users can SSH
AllowGroups sshusers               # Or use groups
DenyUsers nobody                   # Explicit denies

# Session Security
ClientAliveInterval 300            # 5 minute timeout
ClientAliveCountMax 2              # 2 missed keepalives = disconnect
LoginGraceTime 60                  # 60 seconds to authenticate
MaxSessions 3                      # Max concurrent sessions

# Cryptography
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms [email protected],diffie-hellman-group16-sha512

# Logging
LogLevel VERBOSE                   # Detailed logging
SyslogFacility AUTH

# Other Security
X11Forwarding no                   # Disable unless needed
AllowTcpForwarding no              # Disable unless needed
PermitTunnel no                    # Disable tunneling
GatewayPorts no
AllowAgentForwarding no

Apply Configuration

# Test configuration
sudo sshd -t

# Reload SSH
sudo systemctl reload sshd

Key-Based Authentication

Generate Strong Keys

# ED25519 (Recommended - smaller, faster, secure)
ssh-keygen -t ed25519 -a 100 -C "[email protected]"

# RSA 4096 (for legacy compatibility)
ssh-keygen -t rsa -b 4096 -o -a 100 -C "[email protected]"

# Key options explained:
# -a 100    = 100 rounds of key derivation
# -o        = OpenSSH format (more secure)
# -C        = Comment for identification

Deploy Public Key

# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Manual method
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

# Set correct permissions on server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

SSH Firewall Rules

# UFW
sudo ufw allow from 10.0.0.0/8 to any port 2222
sudo ufw deny 2222  # Deny all others

# iptables with rate limiting
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

fail2ban for SSH

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

# Restart fail2ban
sudo systemctl restart fail2ban

# Check status
sudo fail2ban-client status sshd

SSH Security Checklist

Setting Recommended Why
Root login Disabled Never allow direct root access
Password auth Disabled Keys only
Port Non-standard Reduces automated attacks
Key type ED25519 Modern, secure, fast
fail2ban Enabled Automatic blocking
MaxAuthTries 3 Limit brute force

Monitoring SSH

# Watch auth log in real-time
sudo tail -f /var/log/auth.log | grep sshd

# Count failed attempts
sudo grep "Failed password" /var/log/auth.log | wc -l

# List currently connected SSH users
who
w
ss -tnp | grep :22
beginner System Hardening Updated 2025-01-15
  • ssh
  • openssh
  • remote access
  • key authentication
  • security