Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client-server architecture. In this post, we will look at various security-related configuration options of the SSH daemon service or sshd. The tutorial about the client-side ssh configuration can be found in the following link.
SSH Server Configuration File
Ssh generally works as a service or daemon. This service starts by reading some configure file about the service. This configuration file is located at
/etc/ssh/sshd_config . In most Linux distributions the file is used as startup-config. In order to modify the configuration file, we need root privileges.
$ head /etc/ssh/sshd_config
SSH Server Configuration File Comment
Some rules require comments about them. Comments are created with # lines. Comments have no effect on the SSH configuration.
#This is just a comment.
Restart SSH Service To Apply Configuration Changes
After ssh configuration file changes ssh service or daemon should be restart to take effect new configuration. There are different ways to restart ssh service but the most global way to restart ssh daemon is using
systemctl command like below.
$ sudo systemctl restart sshd
Stop SSH Service
If the ssh is not used and we have direct access to the system stopping ssh service is a more secure choice. We will stop ssh service with
$ sudo systemctl stop sshd
Check SSH Service Status
After configuration changes we restart the ssh service but how can be sure it is working. There are different ways but the most appropriate way is using systemctl to get the status of the service. This command also provides last logs about the service that can provide hints about configurations errors or similar things.
$ sudo systemctl status sshd
Specify SSH Protocol Version
SSH has two versions. As we expect version 1 is the old and nonsecure version. It is abandoned a long time ago but some ssh configurations may contain this version enabled. We will only enable version 2 with the following line.
By default, all users created on the system can log in remotely. Enabling all users remote login opportunity is not a good security practice. We can limit login for specified users like below. In this example, we only allow user i
smail to login remotely by using ssh.
Another way to limit users’ login is by specifying a user account that does not have the right to log in remotely by using ssh. All other users than specified ones will have remote access. In this example, we deny remote access for user
root . Denying access for root is a good security practice.
Specify SSH Service or Port IP Address and Interface To Run
By default when ssh service is started it runs on all interfaces and IP addresses. This may create some security problems if the system has more than one network interface where some of them are insecure side. We can restrict the ssh service interface to run. Ssh service will not accept connections from other interfaces.
Configure Session Timeout
After the connection is established the connection is stayed in the open state forever if not closed explicitly. This is not a wanted situation for resource usage and security. We should define a timeout value that will close the session after this time of inactivity. In this example, we set these values as
Disable SSH Root Login
One of the best practices is disabling
root account remote login. If there are other high privileged well-known accounts these accounts must be disabled too.
Configure SSH Login Banner
While connecting systems remotely with ssh providing information warning information about the system is a good way to prevent some attacks. Even this is not a technical way to protect or prevent attacks it may convenience the attacker physiologically.
Banner "This system is monitored and logged in real time. In the case of attacks the legal actions will be taken against attacker."
Configure or Change SSH Port Number
By default, ssh uses TCP port 22 as port number. Most of the users and attackers assume this default and takes action to the TCP port 22. If there is no operations cost changing the ssh server port is the best way. In the example we use port
1234 as ssh daemon port.
Disable SSH Password Authentication
Password authentication is a simple method for the user to authenticate themselves. But it is simpler than other methods for attackers to crack too. Users generally prefer simple and easy to remember passwords which make attackers work easy. We can disable password-based authentication.
But the users should be already setup Public key-based authentication in order to resume using the SSH server. More information about how to set up public key-based authentication can be found in the following link.
Only Public Key Based Authentication
By default public key authentication is enabled but enabling it explicitly will make it more reliable.
Disable Empty SSH Passwords
Another great risk for ssh daemon is empty passwords. Modern Linux distributions generally prohibit empty passwords but disabling empty passwords will make us sure.
Enable Strict (Forced Security) Mode
StrictMode checks some cases before the ssh server starts. Ssh key, configuration files ownership, permission checks are performed before ssh daemon starts. If one of them fails the ssh server daemon does not starts. Strict mode is enabled by default but generally closed by system administrators. For security reasons, it should be enabled.
Disable X11 Forwarding
One of the best features for ssh is forwarding X11 over remote connections. This is a very useful feature for some system administrators and users. But this can create some security holes in the system. If X11 forwarding is not needed disable it.
Update SSH Server and Client Software
Now the last but one of the most important rules to make ssh servers and daemons secure. Updating is a magical way to make ssh more secure.
Ubuntu, Debian, Mint:
$ sudo apt upgrade ssh
Fedora, Kali, CentOS:
$ sudo yum update ssh