Project

General

Profile

Support #591

Hardening an SSH Server

Added by Daniel Curtis over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Server
Target version:
Start date:
04/05/2015
Due date:
% Done:

100%

Estimated time:
1.00 h
Spent time:

Description

This is guide for hardening an SSH server.

  • WARNING: You will need a recent OpenSSH version. It should work with 6.5 but I have only tested 6.6; you can check the current version by running:
    ssh -V
    

Key Exchange

  • Add a strong Key Exchange:
    echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
    
  • Open /etc/ssh/moduli if exists, and delete lines where the 5th column is less than 2000.
    awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" 
    wc -l "${HOME}/moduli" 
    mv "${HOME}/moduli" /etc/ssh/moduli
    
    • If wc -l is empty, create it:
      ssh-keygen -G "${HOME}/moduli" -b 4096
      ssh-keygen -T /etc/ssh/moduli -f "${HOME}/moduli" 
      rm "${HOME}/moduli" 
      

Authentication

  • Edit the sshd config file:
    vi /etc/ssh/sshd_config
    
    • And modify the following parameters to only use SSHv2 and ed25519 and rsa key algorithms:
      Protocol 2
      HostKey /etc/ssh/ssh_host_ed25519_key
      HostKey /etc/ssh/ssh_host_rsa_key
      

Client Authentication

  • edit the sshd config file:
    vi /etc/ssh/sshd_config
    
    • And modify the following parameters to disable password based logins:
      PasswordAuthentication no
      ChallengeResponseAuthentication no
      PubkeyAuthentication yes
      

Symmetric Ciphers

NOTE: For some reason I could not get the and ciphers to work on OpenSSH 6.6.
  • Add strong Symmetric Ciphers:
    echo 'Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
    

Message Authentication Codes

  • Add strong Message Authentication Codes:
    echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
    

Generate Strong Client Keypairs

  • Generate strong client ssh keypairs:
    ssh-keygen -t ed25519 -o -a 512
    ssh-keygen -t rsa -b 4096 -o -a 512
    

Resources

History

#1 Updated by Daniel Curtis over 5 years ago

  • Description updated (diff)
  • Status changed from New to In Progress
  • % Done changed from 0 to 50

#2 Updated by Daniel Curtis over 5 years ago

  • Description updated (diff)

#3 Updated by Daniel Curtis over 5 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100

#4 Updated by Daniel Curtis over 5 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF