· Tutorials  · 6 min read

OpenSSH Security Best Practices in 2024

Security hardening for remote servers

Security hardening for remote servers

Securing SSH is a critical step in protecting your Linux servers from unauthorized access and potential cyberattacks. SSH is a widely used protocol that allows secure remote management of servers, but if not properly configured, it can become a vulnerable entry point for attackers.

In this guide, we’ll explore a series of best practices that will help you fortify your SSH setup, reducing the risk of breaches and ensuring your server’s integrity.

1. Forbid Root login

It’s strongly recommended to disable root login to reduce the attack surface. Instead, use a regular user account with sudo privileges for administrative tasks. To disable root login, add the following line to your SSH configuration:

Terminal window
PermitRootLogin No

2. Disable SSH protocol 1

SSH Protocol 1 protocol allows to conduct man-in-the-middle attacks and replay client challenge response to a target server. It’s disabled by default on newer versions of SSH and Linux. Nevertheless, if you have an older version, make sure to enable Protocol 2. To do this, edit the configuration file by running nano /etc/ssh/sshd_config, find the Protocol parameter, and set it to 2.

3. Use Key-Based authentication and forbid password Authentication

Public key-based authentication is a strong method for users to authenticate to your Linux servers using SSH. You’ll need to generate key pairs (public and private key pairs) and secure the home directory where these key pairs are stored.

It’s recommended to both audit and lock down the folder where the keys are stored. By default, this folder is located at ~/.ssh/. You can secure it by changing ownership to root and group using the following commands:

Terminal window
chown <user>:<user> ~/.ssh/id_rsa
chown <user>:<user> ~/.ssh/id_rsa.pub

To enforce key-based authentication and disable password authentication, add the following lines to your SSH configuration:

Terminal window
AuthenticationMethods publickey
PubkeyAuthentication yes

Before disabling password authentication, ensure that key-based authentication is correctly configured and tested to prevent being locked out.

4. Implement Two-Factor Authentication (2FA)

For high valuable assets or for very good protection level you can add 2FA. Even if SSH key will be stolen, attacker won’t able to access your server. Additional monitoring for failed 2FA events, could help to identify potential attack. To enable 2FA:

Terminal window
sudo apt install libpam-google-authenticator

To complete the 2FA setup, configure PAM by adding the following line to /etc/pam.d/sshd: auth required pam_google_authenticator.so. This ensures that 2FA is enforced for SSH logins.

The original repo can be found here.

5. Enforce an Idle Timeout

To increase protection of attack surface it’s important to not leave SSH sessions logged in, idle or unattended for long period of time. In order to apply mitigation, change the ClientAliveInterval parameter in /etc/ssh/sshd_config. This value determines the length of time before a session times out. A value of 300 seconds (5 minutes) or less is preferred.

To enforce a session timeout, also set ClientAliveCountMax to 2. This ensures that idle sessions are terminated after the specified interval (interval = ClientAliveInterval * ClientAliveCountMax). In this case, the user will be asked each 5 min 2 times if he is alive. As a result, user will be logged out after 10 minutes.

6. Disable X11 Forwarding

X11 forwarding allows remote users to access graphical applications on a Linux server, but it can also be exploited by attackers. Disable this by setting the X11Forwarding parameter to no in the SSH configuration file (/etc/ssh/sshd_config).

7. Disable Users’ Ability to Set Environment Variables

Allowing users to set or modify environment variables within their SSH sessions can lead to security vulnerabilities. Prevent this by setting the PermitUserEnvironment parameter to no in /etc/ssh/sshd_config.

8. Disable Port Forwarding

Local port forwarding via SSH can be used for legitimate purposes but also poses security risks. Disable this by setting the AllowTcpForwarding parameter to no in /etc/ssh/sshd_config.

Disabling port forwarding may prevent legitimate SSH tunneling use cases. Assess your specific needs before disabling this feature.

9. Restrict SSH Access to Users/Groups That Need It

Following the principle of least privilege, limit SSH access to only those users and groups that require it. Use the AllowUsers and AllowGroups parameters in /etc/ssh/sshd_config to specify who is allowed to access the server via SSH. You can also use DenyUsers and DenyGroups to explicitly block access for certain users or groups.

10. Limit the Maximum Number of Concurrent Sessions

To decrease potential risk of denial-of-service (DoS) attacks, the number of concurrent SSH sessions has to be reduced. The best practice is a limitation to a maximum of 4 sessions. Adjust the maxsessions parameter in /etc/ssh/sshd_config accordingly.

11. Limit the Maximum Number of Authentication Attempts

Setting a limit on the number of authentication attempts can reduce the risk of successful brute-force attacks. To enforce this, find the MaxAuthTries parameter in /etc/ssh/sshd_config and set it to four or fewer attempts.

12. Change Log Level of SSH in Linux

Adjusting the SSH log level can help you better monitor activity and identify potential security issues. The default log level, INFO, records only user login activity. Changing this to VERBOSE provides more detailed logs, including logout times and other relevant information. Modify the LogLevel parameter in /etc/ssh/sshd_config to VERBOSE.

13. Change the Default Port

While changing the default SSH port doesn’t provide true security, it can make your server less susceptible to automated scans by low-skilled attackers. To change the default port, edit the Port parameter in /etc/ssh/sshd_config, uncomment it, and set it to a non-standard port. Remember to update your firewall rules to reflect this change.

14. Brute force mitigation

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities (combination of users and passwords) using a single or distributed computer network. To prevents brute force attacks against SSH, use the following software:

  • Fail2ban is a similar program that prevents brute force attacks against SSH.
  • sshguard protect hosts from brute force attacks against ssh and other services using pf.

15. Use strong ciphers

Specify strong ciphers and remove weak ones from the SSH configuration:

Terminal window

Similarly, remove weak message authentication codes (MACs) and leave only strong ones:

Ensure that the strong ciphers and MACs you specify are compatible with all clients connecting to your server.

Conclusion

In this article, we’ve covered several best practices for securing SSH. Staying updated on security trends and emerging threats can be difficult, which is why it’s recommended to organize regular penetration testing activities. These tests can identify vulnerabilities, including those related to SSH configuration, and provide guidance on how to mitigate them.

References

Back to Blog