· Tutorials · 6 min read
OpenSSH Security Best Practices in 2024
Security hardening for remote servers
Securing SSH is a critical step in protecting your Linux servers from unauthorized access and potential cyberattacks. SSH is a widely used protocol that allows secure remote management of servers, but if not properly configured, it can become a vulnerable entry point for attackers.
In this guide, we’ll explore a series of best practices that will help you fortify your SSH setup, reducing the risk of breaches and ensuring your server’s integrity.
1. Forbid Root login
It’s strongly recommended to disable root login to reduce the attack surface. Instead, use a regular user account with sudo privileges for administrative tasks. To disable root login, add the following line to your SSH configuration:
2. Disable SSH protocol 1
SSH Protocol 1 protocol allows to conduct man-in-the-middle attacks and replay client challenge response to a target server. It’s disabled by default on newer versions of SSH and Linux. Nevertheless, if you have an older version, make sure to enable Protocol 2. To do this, edit the configuration file by running nano /etc/ssh/sshd_config
, find the Protocol
parameter, and set it to 2
.
3. Use Key-Based authentication and forbid password Authentication
Public key-based authentication is a strong method for users to authenticate to your Linux servers using SSH. You’ll need to generate key pairs (public and private key pairs) and secure the home directory where these key pairs are stored.
It’s recommended to both audit and lock down the folder where the keys are stored. By default, this folder is located at ~/.ssh/
. You can secure it by changing ownership to root and group using the following commands:
To enforce key-based authentication and disable password authentication, add the following lines to your SSH configuration:
Before disabling password authentication, ensure that key-based authentication is correctly configured and tested to prevent being locked out.
4. Implement Two-Factor Authentication (2FA)
For high valuable assets or for very good protection level you can add 2FA. Even if SSH key will be stolen, attacker won’t able to access your server. Additional monitoring for failed 2FA events, could help to identify potential attack. To enable 2FA:
To complete the 2FA setup, configure PAM by adding the following line to /etc/pam.d/sshd
: auth required pam_google_authenticator.so
. This ensures that 2FA is enforced for SSH logins.
The original repo can be found here.
5. Enforce an Idle Timeout
To increase protection of attack surface it’s important to not leave SSH sessions logged in, idle or unattended for long period of time. In order to apply mitigation, change the ClientAliveInterval
parameter in /etc/ssh/sshd_config
. This value determines the length of time before a session times out. A value of 300 seconds (5 minutes) or less is preferred.
To enforce a session timeout, also set ClientAliveCountMax
to 2
. This ensures that idle sessions are terminated after the specified interval (interval = ClientAliveInterval * ClientAliveCountMax). In this case, the user will be asked each 5 min 2 times if he is alive. As a result, user will be logged out after 10 minutes.
6. Disable X11 Forwarding
X11 forwarding allows remote users to access graphical applications on a Linux server, but it can also be exploited by attackers. Disable this by setting the X11Forwarding
parameter to no
in the SSH configuration file (/etc/ssh/sshd_config
).
7. Disable Users’ Ability to Set Environment Variables
Allowing users to set or modify environment variables within their SSH sessions can lead to security vulnerabilities. Prevent this by setting the PermitUserEnvironment
parameter to no
in /etc/ssh/sshd_config
.
8. Disable Port Forwarding
Local port forwarding via SSH can be used for legitimate purposes but also poses security risks. Disable this by setting the AllowTcpForwarding
parameter to no
in /etc/ssh/sshd_config
.
Disabling port forwarding may prevent legitimate SSH tunneling use cases. Assess your specific needs before disabling this feature.
9. Restrict SSH Access to Users/Groups That Need It
Following the principle of least privilege, limit SSH access to only those users and groups that require it. Use the AllowUsers
and AllowGroups
parameters in /etc/ssh/sshd_config
to specify who is allowed to access the server via SSH. You can also use DenyUsers
and DenyGroups
to explicitly block access for certain users or groups.
10. Limit the Maximum Number of Concurrent Sessions
To decrease potential risk of denial-of-service (DoS) attacks, the number of concurrent SSH sessions has to be reduced. The best practice is a limitation to a maximum of 4 sessions. Adjust the maxsessions
parameter in /etc/ssh/sshd_config
accordingly.
11. Limit the Maximum Number of Authentication Attempts
Setting a limit on the number of authentication attempts can reduce the risk of successful brute-force attacks. To enforce this, find the MaxAuthTries
parameter in /etc/ssh/sshd_config
and set it to four or fewer attempts.
12. Change Log Level of SSH in Linux
Adjusting the SSH log level can help you better monitor activity and identify potential security issues. The default log level, INFO
, records only user login activity. Changing this to VERBOSE
provides more detailed logs, including logout times and other relevant information. Modify the LogLevel
parameter in /etc/ssh/sshd_config
to VERBOSE
.
13. Change the Default Port
While changing the default SSH port doesn’t provide true security, it can make your server less susceptible to automated scans by low-skilled attackers. To change the default port, edit the Port
parameter in /etc/ssh/sshd_config
, uncomment it, and set it to a non-standard port. Remember to update your firewall rules to reflect this change.
14. Brute force mitigation
Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities (combination of users and passwords) using a single or distributed computer network. To prevents brute force attacks against SSH, use the following software:
- Fail2ban is a similar program that prevents brute force attacks against SSH.
- sshguard protect hosts from brute force attacks against ssh and other services using pf.
15. Use strong ciphers
Specify strong ciphers and remove weak ones from the SSH configuration:
Similarly, remove weak message authentication codes (MACs) and leave only strong ones:
Ensure that the strong ciphers and MACs you specify are compatible with all clients connecting to your server.
Conclusion
In this article, we’ve covered several best practices for securing SSH. Staying updated on security trends and emerging threats can be difficult, which is why it’s recommended to organize regular penetration testing activities. These tests can identify vulnerabilities, including those related to SSH configuration, and provide guidance on how to mitigate them.