SSH hardening on Ubuntu

sshd configuration hardening

The configuration file is usually located at: 

/etc/ssh/sshd_config

1) Change the SSH port from the default port 22 to a different one

# Change from default 22 to a different port
Port 12345

If you are behind a firewall/security group, remember to update them as well.

2) Disable the usage of weak ciphers

# Use strong ciphers
Ciphers aes256-cbc,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

3) Allow limited active client and sessions

MaxAuthTries 3
MaxSessions 2
ClientAliveCountMax 2

4) Disable password authentication (Use public key instead)

PubkeyAuthentication yes
PasswordAuthentication no

Please ensure you have a public key authentication setup and can successfully access it before disabling your password authentication.

5) Set log level to Verbose

LogLevel VERBOSE

6) Disable other known weaknesses

TCPKeepAlive no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

7) Restart ssh service

$ sudo service ssh restart

Restrict inbound traffic to your SSH port

This can be done from your Firewall or security group configuration. For example, you can only allow inbound traffic from your company IP address.

 


AI Summary
gpt-4o-2024-05-13 2024-08-24 01:47:10
This blog post provides a guide on hardening SSH configuration on Ubuntu. Key steps include changing the default SSH port, disabling weak ciphers, limiting client sessions, using public key authentication, setting verbose log level, and disabling known weaknesses. Lastly, it advises restricting inbound SSH traffic via firewall rules.
Chrome On-device AI 2024-09-19 18:24:55

Share Article