Linux SSH Server (sshd) Configuration and Security Options With Examples


Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client-server architecture. In this post, we will look at various security-related configuration options of the SSH daemon service or sshd. The tutorial about the client-side ssh configuration can be found in the following link.

SSH Server Configuration File

Ssh generally works as a service or daemon. This service starts by reading some configure file about the service. This configuration file is located at /etc/ssh/sshd_config . In most Linux distributions the file is used as startup-config. In order to modify the configuration file, we need root privileges.

$ head /etc/ssh/sshd_config
Server Configuration File
Server Configuration File

SSH Server Configuration File Comment

Some rules require comments about them. Comments are created with # lines. Comments have no effect on the SSH configuration.

#This is just a comment.

Restart SSH Service To Apply Configuration Changes

After ssh configuration file changes ssh service or daemon should be restart to take effect new configuration. There are different ways to restart ssh service but the most global way to restart ssh daemon is using systemctl command like below.

$ sudo systemctl restart sshd

Stop SSH Service

If the ssh is not used and we have direct access to the system stopping ssh service is a more secure choice. We will stop ssh service with systemctl command.

$ sudo systemctl stop sshd

Check SSH Service Status

After configuration changes we restart the ssh service but how can be sure it is working. There are different ways but the most appropriate way is using systemctl to get the status of the service. This command also provides last logs about the service that can provide hints about configurations errors or similar things.

$ sudo systemctl status sshd
Check Ssh Service Status
Check Ssh Service Status

Specify SSH Protocol Version

SSH has two versions. As we expect version 1 is the old and nonsecure version. It is abandoned a long time ago but some ssh configurations may contain this version enabled. We will only enable version 2 with the following line.

Protocol 2

Allowed Users

By default, all users created on the system can log in remotely. Enabling all users remote login opportunity is not a good security practice. We can limit login for specified users like below. In this example, we only allow user ismail to login remotely by using ssh.

AllowUsers ismail

Denied Users

Another way to limit users’ login is by specifying a user account that does not have the right to log in remotely by using ssh. All other users than specified ones will have remote access. In this example, we deny remote access for user root . Denying access for root is a good security practice.

DenyUser root

Specify SSH Service or Port IP Address and Interface To Run

By default when ssh service is started it runs on all interfaces and IP addresses. This may create some security problems if the system has more than one network interface where some of them are insecure side. We can restrict the ssh service interface to run. Ssh service will not accept connections from other interfaces.

ListenAddress 10.0.0.20

Configure Session Timeout

After the connection is established the connection is stayed in the open state forever if not closed explicitly. This is not a wanted situation for resource usage and security. We should define a timeout value that will close the session after this time of inactivity. In this example, we set these values as 120 seconds.

ClientAliveInterval 120

Disable SSH Root Login

One of the best practices is disabling root account remote login. If there are other high privileged well-known accounts these accounts must be disabled too.

PermitRootLogin no

Configure SSH Login Banner

While connecting systems remotely with ssh providing information warning information about the system is a good way to prevent some attacks. Even this is not a technical way to protect or prevent attacks it may convenience the attacker physiologically.

Banner "This system is monitored and logged in real time. In the case of attacks the legal actions will be taken against attacker."

Configure or Change SSH Port Number

By default, ssh uses TCP port 22 as port number. Most of the users and attackers assume this default and takes action to the TCP port 22. If there is no operations cost changing the ssh server port is the best way. In the example we use port 1234 as ssh daemon port.

Port 1234

Disable SSH Password Authentication

Password authentication is a simple method for the user to authenticate themselves. But it is simpler than other methods for attackers to crack too. Users generally prefer simple and easy to remember passwords which make attackers work easy. We can disable password-based authentication.

PasswordAuthentication no

But the users should be already setup Public key-based authentication in order to resume using the SSH server. More information about how to set up public key-based authentication can be found in the following link.

http://www.poftut.com/how-to-setup-ssh-keys/

LEARN MORE  How To Change CentOS Server/Host Hostname?

Only Public Key Based Authentication

By default public key authentication is enabled but enabling it explicitly will make it more reliable.

PubkeyAuthentication yes

Disable Empty SSH Passwords

Another great risk for ssh daemon is empty passwords. Modern Linux distributions generally prohibit empty passwords but disabling empty passwords will make us sure.

PermitEmptyPasswords no

Enable Strict (Forced Security) Mode

StrictMode checks some cases before the ssh server starts. Ssh key, configuration files ownership, permission checks are performed before ssh daemon starts. If one of them fails the ssh server daemon does not starts. Strict mode is enabled by default but generally closed by system administrators. For security reasons, it should be enabled.

StrictMode yes

Disable X11 Forwarding

One of the best features for ssh is forwarding X11 over remote connections. This is a very useful feature for some system administrators and users. But this can create some security holes in the system. If X11 forwarding is not needed disable it.

X11Forwarding no

Update SSH Server and Client Software

Now the last but one of the most important rules to make ssh servers and daemons secure. Updating is a magical way to make ssh more secure.

Ubuntu, Debian, Mint:

$ sudo apt upgrade ssh

Fedora, Kali, CentOS:

$ sudo yum update ssh

1 thought on “Linux SSH Server (sshd) Configuration and Security Options With Examples”

Leave a Comment