system-services

hardening-the-ssh-service

Description

The Secure Shell (SSH) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server (DNS) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol.

Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. Table 1 describes the hardening items, recommended hardening values, and default policies.

Implementation

To harden a server, perform the following steps:

  1. Open the configuration file /etc/ssh/sshd_config of the SSH service on the server, and modify or add hardening items and values in the file.

  2. Save the /etc/ssh/sshd_config file.

  3. Run the following command to restart the SSH service:

    systemctl restart sshd
    

  

To harden a client, perform the following steps:

  1. Open the configuration file /etc/ssh/ssh_config of the SSH service on the client, and modify or add hardening items and values in the file.

  2. Save the /etc/ssh/ssh_config file.

  3. Run the following command to restart the SSH service:

    systemctl restart sshd
    

Hardening Items

  • Server hardening policies

    All SSH service hardening items are stored in the /etc/ssh/sshd_config configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 1.

    Table 1 SSH hardening items on a server

    Item

    Description

    Suggestion

    Configured as Suggested

    Protocol

    SSH protocol version.

    2

    Yes

    SyslogFacility

    Log type of the SSH service. The item is set to AUTH, indicating authentication logs.

    AUTH

    Yes

    LogLevel

    Level for recording SSHD logs.

    VERBOSE

    Yes

    X11Forwarding

    Specifies whether a GUI can be used after login using SSH.

    no

    Yes

    MaxAuthTries

    Maximum number of authentication attempts.

    3

    No

    PubkeyAuthentication

    Specifies whether public key authentication is allowed.

    yes

    Yes

    RSAAuthentication

    Specifies whether only RSA security authentication is allowed.

    yes

    Yes

    IgnoreRhosts

    Specifies whether the rhosts and shosts files are used for authentication. The rhosts and shosts files record the names of the servers that support remote access and related login names.

    yes

    Yes

    RhostsRSAAuthentication

    Specifies whether the RSA algorithm security authentication based on the rhosts file is used. The rhosts file records the names of the servers that support remote access and related login names.

    no

    Yes

    HostbasedAuthentication

    Specifies whether host-based authentication is used. Host-based authentication indicates that any user of a trusted client can use the SSH service.

    no

    Yes

    PermitRootLogin

    Specifies whether to allow user root to log in to the system using SSH.

    NOTE:

    If you want to log in to the system using SSH as user root, set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to yes.

    no

    No

    PermitEmptyPasswords

    Specifies whether accounts with empty passwords can log in.

    no

    Yes

    PermitUserEnvironment

    Specifies whether to resolve the environment variables set in ~/.ssh/environment and ~/.ssh/authorized_keys.

    no

    Yes

    Ciphers

    Encryption algorithm of SSH data transmission.

    aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

    Yes

    ClientAliveCountMax

    Timeout count. After the server sends a request, if the number of times that the client does not respond reaches a specified value, the server automatically disconnects from the client.

    0

    No

    Banner

    File of the prompt information displayed before and after SSH login.

    /etc/issue.net

    Yes

    MACs

    Hash algorithm for SSH data verification.

    hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com

    Yes

    StrictModes

    Specifies whether to check the permission on and ownership of the home directory and rhosts file before SSH receives login requests.

    yes

    Yes

    UsePAM

    Specifies whether to use PAM for login authentication.

    yes

    Yes

    AllowTcpForwarding

    Specifies whether to allow TCP forwarding.

    no

    Yes

    Subsystem sftp /usr/libexec/openssh/sftp-server

    SFTP log record level, which records the INFO level and authentication logs.

    -l INFO -f AUTH

    Yes

    AllowAgentForwarding

    Specifies whether to allow SSH Agent forwarding.

    no

    Yes

    GatewayPorts

    Specifies whether SSH can connect to ports on the forwarding client.

    no

    Yes

    PermitTunnel

    Specifies whether Tunnel devices are allowed.

    no

    Yes

    KexAlgorithms

    SSH key exchange algorithms.

    curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

    Yes

    LoginGraceTime

    Time limit for users passing the authentication. 0 indicates no limit. The default value is 60 seconds.

    60

    No

    NOTE:
    By default, the messages displayed before and after SSH login are saved in the /etc/issue.net file. The default information in the /etc/issue.net file is Authorized users only. All activities may be monitored and reported.

  • Client hardening policies

    All SSH service hardening items are stored in the /etc/ssh/ssh_config configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 2.

    Table 2 SSH hardening items on a client

    Item

    Description

    Suggestion

    Configured as Suggested

    KexAlgorithms

    SSH key exchange algorithms.

    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

    No

    VerifyHostKeyDNS

    Specifies whether to verify HostKey files by using DNS or SSHFP.

    ask

    No

    NOTE:
    Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.

Other Security Suggestions

  • The SSH service only listens on specified IP addresses.

    For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the /etc/ssh/sshd_config file.

    1. Open and modify the /etc/ssh/sshd_config file.

      vi /etc/ssh/sshd_config
      

      The following information indicates that the bound listening IP address is 192.168.1.100. You can change the listening IP address based on the site requirements.

      ...
      ListenAddress 192.168.1.100
      ...
      
    2. Restart the SSH service.

      systemctl restart sshd.service
      
  • SFTP users are restricted from access to upper-level directories.

    SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:

    NOTE:
    In the following configurations, sftpgroup is an example user group name, and sftpuser is an example username.

    1. Create an SFTP user group.

      groupadd sftpgroup
      
    2. Create an SFTP root directory.

      mkdir /sftp
      
    3. Modify the ownership of and permission on the SFTP root directory.

      chown root:root /sftp
      chmod 755 /sftp
      
    4. Create an SFTP user.

      useradd -g sftpgroup -s /sbin/nologin sftpuser
      
    5. Set the password of the SFTP user.

      passwd sftpuser
      
    6. Create a directory used to store files uploaded by the SFTP user.

      mkdir /sftp/sftpuser
      
    7. Modify the ownership of and permission on the upload directory of the SFTP user.

      chown root:root /sftp/sftpuser
      chmod 777 /sftp/sftpuser
      
    8. Modify the /etc/ssh/sshd_config file.

      vi /etc/ssh/sshd_config
      

      Modify the following information:

      #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
      Subsystem sftp internal-sftp -l INFO -f AUTH
      ...
      
      Match Group sftpgroup                  
          ChrootDirectory /sftp/%u
          ForceCommand internal-sftp
      

      NOTE:

      • %u is a wildcard character. Enter %u to represent the username of the current SFTP user.
      • The following content must be added to the end of the /etc/ssh/sshd_config file:
        Match Group sftpgroup                    
          ChrootDirectory /sftp/%u  
          ForceCommand internal-sftp  
      
    9. Restart the SSH service.

      systemctl restart sshd.service
      
  • Remotely execute commands using SSH.

    When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the -t option to the command. Example:

    ssh -t testuser@192.168.1.100 su
    

    NOTE:
    192.168.1.100 is an example IP address, and testuser is an example username.

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。