Long-Term Supported Versions

    Innovation Versions

      System Services

      Hardening the SSH Service

      Description

      The Secure Shell (SSH) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server (DNS) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol.

      Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. Table 1 describes the hardening items, recommended hardening values, and default policies.

      Implementation

      To harden a server, perform the following steps:

      1. Open the configuration file /etc/ssh/sshd_config of the SSH service on the server, and modify or add hardening items and values in the file.

      2. Save the /etc/ssh/sshd_config file.

      3. Run the following command to restart the SSH service:

        systemctl restart sshd
        

        

      To harden a client, perform the following steps:

      1. Open the configuration file /etc/ssh/ssh_config of the SSH service on the client, and modify or add hardening items and values in the file.

      2. Save the /etc/ssh/ssh_config file.

      3. Run the following command to restart the SSH service:

        systemctl restart sshd
        

      Hardening Items

      • Server hardening policies

        All SSH service hardening items are stored in the /etc/ssh/sshd_config configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 1.

        Table 1 SSH hardening items on a server

        Item

        Description

        Suggestion

        Configured as Suggested

        Protocol

        SSH protocol version.

        2

        Yes

        SyslogFacility

        Log type of the SSH service. The item is set to AUTH, indicating authentication logs.

        AUTH

        Yes

        LogLevel

        Level for recording SSHD logs.

        VERBOSE

        Yes

        X11Forwarding

        Specifies whether a GUI can be used after login using SSH.

        no

        Yes

        MaxAuthTries

        Maximum number of authentication attempts.

        3

        No

        PubkeyAuthentication

        Specifies whether public key authentication is allowed.

        yes

        Yes

        RSAAuthentication

        Specifies whether only RSA security authentication is allowed.

        yes

        Yes

        IgnoreRhosts

        Specifies whether the rhosts and shosts files are used for authentication. The rhosts and shosts files record the names of the servers that support remote access and related login names.

        yes

        Yes

        RhostsRSAAuthentication

        Specifies whether the RSA algorithm security authentication based on the rhosts file is used. The rhosts file records the names of the servers that support remote access and related login names.

        no

        Yes

        HostbasedAuthentication

        Specifies whether host-based authentication is used. Host-based authentication indicates that any user of a trusted client can use the SSH service.

        no

        Yes

        PermitRootLogin

        Specifies whether to allow user root to log in to the system using SSH.

        NOTE:

        If you want to log in to the system using SSH as user root, set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to yes.

        no

        No

        PermitEmptyPasswords

        Specifies whether accounts with empty passwords can log in.

        no

        Yes

        PermitUserEnvironment

        Specifies whether to resolve the environment variables set in ~/.ssh/environment and ~/.ssh/authorized_keys.

        no

        Yes

        Ciphers

        Encryption algorithm of SSH data transmission.

        aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

        Yes

        ClientAliveCountMax

        Timeout count. After the server sends a request, if the number of times that the client does not respond reaches a specified value, the server automatically disconnects from the client.

        0

        No

        Banner

        File of the prompt information displayed before and after SSH login.

        /etc/issue.net

        Yes

        MACs

        Hash algorithm for SSH data verification.

        hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com

        Yes

        StrictModes

        Specifies whether to check the permission on and ownership of the home directory and rhosts file before SSH receives login requests.

        yes

        Yes

        UsePAM

        Specifies whether to use PAM for login authentication.

        yes

        Yes

        AllowTcpForwarding

        Specifies whether to allow TCP forwarding.

        no

        Yes

        Subsystem sftp /usr/libexec/openssh/sftp-server

        SFTP log record level, which records the INFO level and authentication logs.

        -l INFO -f AUTH

        Yes

        AllowAgentForwarding

        Specifies whether to allow SSH Agent forwarding.

        no

        Yes

        GatewayPorts

        Specifies whether SSH can connect to ports on the forwarding client.

        no

        Yes

        PermitTunnel

        Specifies whether Tunnel devices are allowed.

        no

        Yes

        KexAlgorithms

        SSH key exchange algorithms.

        curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

        Yes

        LoginGraceTime

        Time limit for users passing the authentication. 0 indicates no limit. The default value is 60 seconds.

        60

        No

        NOTE:
        By default, the messages displayed before and after SSH login are saved in the /etc/issue.net file. The default information in the /etc/issue.net file is Authorized users only. All activities may be monitored and reported.

      • Client hardening policies

        All SSH service hardening items are stored in the /etc/ssh/ssh_config configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 2.

        Table 2 SSH hardening items on a client

        Item

        Description

        Suggestion

        Configured as Suggested

        KexAlgorithms

        SSH key exchange algorithms.

        ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

        No

        VerifyHostKeyDNS

        Specifies whether to verify HostKey files by using DNS or SSHFP.

        ask

        No

        NOTE:
        Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.

      Other Security Suggestions

      • The SSH service only listens on specified IP addresses.

        For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the /etc/ssh/sshd_config file.

        1. Open and modify the /etc/ssh/sshd_config file.

          vi /etc/ssh/sshd_config
          

          The following information indicates that the bound listening IP address is 192.168.1.100. You can change the listening IP address based on the site requirements.

          ...
          ListenAddress 192.168.1.100
          ...
          
        2. Restart the SSH service.

          systemctl restart sshd.service
          
      • SFTP users are restricted from access to upper-level directories.

        SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:

        NOTE:
        In the following configurations, sftpgroup is an example user group name, and sftpuser is an example username.

        1. Create an SFTP user group.

          groupadd sftpgroup
          
        2. Create an SFTP root directory.

          mkdir /sftp
          
        3. Modify the ownership of and permission on the SFTP root directory.

          chown root:root /sftp
          chmod 755 /sftp
          
        4. Create an SFTP user.

          useradd -g sftpgroup -s /sbin/nologin sftpuser
          
        5. Set the password of the SFTP user.

          passwd sftpuser
          
        6. Create a directory used to store files uploaded by the SFTP user.

          mkdir /sftp/sftpuser
          
        7. Modify the ownership of and permission on the upload directory of the SFTP user.

          chown root:root /sftp/sftpuser
          chmod 777 /sftp/sftpuser
          
        8. Modify the /etc/ssh/sshd_config file.

          vi /etc/ssh/sshd_config
          

          Modify the following information:

          #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
          Subsystem sftp internal-sftp -l INFO -f AUTH
          ...
          
          Match Group sftpgroup                  
              ChrootDirectory /sftp/%u
              ForceCommand internal-sftp
          

          NOTE:

          • %u is a wildcard character. Enter %u to represent the username of the current SFTP user.
          • The following content must be added to the end of the /etc/ssh/sshd_config file:
            Match Group sftpgroup                    
              ChrootDirectory /sftp/%u  
              ForceCommand internal-sftp  
          
        9. Restart the SSH service.

          systemctl restart sshd.service
          
      • Remotely execute commands using SSH.

        When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the -t option to the command. Example:

        ssh -t testuser@192.168.1.100 su
        

        NOTE:
        192.168.1.100 is an example IP address, and testuser is an example username.

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份