Security Hardenings for SSH Configuration

SSH (Secure Shell) is a widely used protocol for secure remote access to systems. Properly configuring SSH settings is crucial for maintaining the security of your system. Below are several security hardenings recommended for SSH configuration:

Ensure SSH Protocol is set to 2:
The SSH Protocol 2 provides stronger security features compared to Protocol 1 and is recommended for use.
Ensure SSH LogLevel is appropriate:
Set SSH LogLevel to an appropriate level for monitoring and debugging purposes while avoiding excessive logging of sensitive information.
Ensure SSH X11 forwarding is disabled:
Disabling X11 forwarding prevents potential security risks associated with X11 protocol forwarding over SSH.
Ensure SSH MaxAuthTries is set to 4 or less:
Limiting the number of authentication attempts helps mitigate brute-force attacks.
Ensure SSH IgnoreRhosts is enabled:
Enabling IgnoreRhosts prevents SSH from using .rhosts and .shosts files for authentication, which can be susceptible to exploitation.
Ensure SSH HostbasedAuthentication is disabled:
Disabling HostbasedAuthentication mitigates the risk of host-based authentication-related vulnerabilities.
Ensure SSH PermitEmptyPasswords is disabled:
Disabling PermitEmptyPasswords ensures that users cannot authenticate with an empty password, enhancing security.
Ensure SSH PermitUserEnvironment is disabled:
Disabling PermitUserEnvironment prevents users from setting environment variables via SSH, reducing potential security risks.
Ensure only strong Ciphers are used:
Configure SSH to use strong encryption ciphers to protect data confidentiality during communication.
Ensure only strong MAC algorithms are used:
- Use strong message authentication code (MAC) algorithms to ensure the integrity of SSH connections.
Ensure only strong Key Exchange algorithms are used:
- Use robust key exchange algorithms to establish secure SSH connections.
Ensure SSH Idle Timeout Interval is configured:
- Configure an idle timeout interval to automatically disconnect inactive SSH sessions, reducing the risk of unauthorized access.
Ensure SSH LoginGraceTime is set to one minute or less:
- Setting a short LoginGraceTime limits the window for potential attackers to conduct login attempts.
Ensure SSH warning banner is configured:
- Display a warning banner before authentication to inform users of the system's acceptable use policy and legal implications.
Ensure SSH PAM is enabled:
- Enable Pluggable Authentication Modules (PAM) for additional authentication controls and security enhancements.
Ensure SSH AllowTcpForwarding is disabled:
- Disabling AllowTcpForwarding prevents TCP forwarding, which can be exploited for unauthorized access.
Ensure SSH MaxStartups is configured:
- Configure MaxStartups to limit the number of concurrent SSH connection attempts to prevent resource exhaustion attacks.
Ensure SSH MaxSessions is set to 4 or less:
- Limit the maximum number of simultaneous SSH sessions per user to mitigate the risk of resource abuse.

By implementing these security hardenings, you can enhance the security posture of your SSH configuration and better protect your system against various threats and vulnerabilities.

ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication yes
PidFile /run/sshd.pid
Protocol 2
LogLevel INFO
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
ClientAliveInterval 300
ClientAliveCountMax 0
LoginGraceTime 60
Banner /etc/issue.net
AllowTcpForwarding no
MaxStartups 10:30:60
MaxSessions 4