SSH hardening on Ubuntu
sshd configuration hardening
The configuration file is usually located at:
/etc/ssh/sshd_config
1) Change the SSH port from the default port 22 to a different one
# Change from default 22 to a different port
Port 12345
If you are behind a firewall/security group, remember to update them as well.
2) Disable the usage of weak ciphers
# Use strong ciphers
Ciphers aes256-cbc,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
3) Allow limited active client and sessions
MaxAuthTries 3
MaxSessions 2
ClientAliveCountMax 2
4) Disable password authentication (Use public key instead)
PubkeyAuthentication yes
PasswordAuthentication no
Please ensure you have a public key authentication setup and can successfully access it before disabling your password authentication.
5) Set log level to Verbose
LogLevel VERBOSE
6) Disable other known weaknesses
TCPKeepAlive no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
7) Restart ssh service
$ sudo service ssh restart
Restrict inbound traffic to your SSH port
This can be done from your Firewall or security group configuration. For example, you can only allow inbound traffic from your company IP address.
AI Summary
gpt-4o-2024-05-13
2024-08-24 01:47:10
This blog post provides a guide on hardening SSH configuration on Ubuntu. Key steps include changing the default SSH port, disabling weak ciphers, limiting client sessions, using public key authentication, setting verbose log level, and disabling known weaknesses. Lastly, it advises restricting inbound SSH traffic via firewall rules.
Chrome On-device AI
2024-09-19 18:24:55
Share Article