System Services

• System Services
  • Hardening the SSH Service

Hardening the SSH Service

Description

The Secure Shell (SSH) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server (DNS) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol.

Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. Table 1 describes the hardening items, recommended hardening values, and default policies.

Implementation

To harden a server, perform the following steps:

1. Open the configuration file /etc/ssh/sshd_config of the SSH service on the server, and modify or add hardening items and values in the file.

2. Save the /etc/ssh/sshd_config file.

3. Run the following command to restart the SSH service:

   systemctl restart sshd
   

To harden a client, perform the following steps:

1. Open the configuration file /etc/ssh/ssh_config of the SSH service on the client, and modify or add hardening items and values in the file.

2. Save the /etc/ssh/ssh_config file.

3. Run the following command to restart the SSH service:

   systemctl restart sshd
   

Hardening Items

• Server hardening policies

  All SSH service hardening items are stored in the /etc/ssh/sshd_config configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 1.

  Table 1 SSH hardening items on a server

  Item	Description	Suggestion	Configured as Suggested
  Protocol	SSH protocol version.	2	Yes
  SyslogFacility	Log type of the SSH service. The item is set to AUTH, indicating authentication logs.	AUTH	Yes
  LogLevel	Level for recording SSHD logs.	VERBOSE	Yes
  X11Forwarding	Specifies whether a GUI can be used after login using SSH.	no	Yes
  MaxAuthTries	Maximum number of authentication attempts.	3	No
  PubkeyAuthentication	Specifies whether public key authentication is allowed.	yes	Yes
  RSAAuthentication	Specifies whether only RSA security authentication is allowed.	yes	Yes
  IgnoreRhosts	Specifies whether the rhosts and shosts files are used for authentication. The rhosts and shosts files record the names of the servers that support remote access and related login names.	yes	Yes
  RhostsRSAAuthentication	Specifies whether the RSA algorithm security authentication based on the rhosts file is used. The rhosts file records the names of the servers that support remote access and related login names.	no	Yes
  HostbasedAuthentication	Specifies whether host-based authentication is used. Host-based authentication indicates that any user of a trusted client can use the SSH service.	no	Yes
  PermitRootLogin	Specifies whether to allow user root to log in to the system using SSH. NOTE: If you want to log in to the system using SSH as user root, set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to yes.	no	No
  PermitEmptyPasswords	Specifies whether accounts with empty passwords can log in.	no	Yes
  PermitUserEnvironment	Specifies whether to resolve the environment variables set in ~/.ssh/environment and ~/.ssh/authorized_keys.	no	Yes
  Ciphers	Encryption algorithm of SSH data transmission.	aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com	Yes
  ClientAliveCountMax	Timeout count. After the server sends a request, if the number of times that the client does not respond reaches a specified value, the server automatically disconnects from the client.	0	No
  Banner	File of the prompt information displayed before and after SSH login.	/etc/issue.net	Yes
  MACs	Hash algorithm for SSH data verification.	hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com	Yes
  StrictModes	Specifies whether to check the permission on and ownership of the home directory and rhosts file before SSH receives login requests.	yes	Yes
  UsePAM	Specifies whether to use PAM for login authentication.	yes	Yes
  AllowTcpForwarding	Specifies whether to allow TCP forwarding.	no	Yes
  Subsystem sftp /usr/libexec/openssh/sftp-server	SFTP log record level, which records the INFO level and authentication logs.	-l INFO -f AUTH	Yes
  AllowAgentForwarding	Specifies whether to allow SSH Agent forwarding.	no	Yes
  GatewayPorts	Specifies whether SSH can connect to ports on the forwarding client.	no	Yes
  PermitTunnel	Specifies whether Tunnel devices are allowed.	no	Yes
  KexAlgorithms	SSH key exchange algorithms.	curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256	Yes
  LoginGraceTime	Time limit for users passing the authentication. 0 indicates no limit. The default value is 60 seconds.	60	No

  NOTE:
  By default, the messages displayed before and after SSH login are saved in the /etc/issue.net file. The default information in the /etc/issue.net file is Authorized users only. All activities may be monitored and reported.

• Client hardening policies

  All SSH service hardening items are stored in the /etc/ssh/ssh_config configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 2.

  Table 2 SSH hardening items on a client

  Item	Description	Suggestion	Configured as Suggested
  KexAlgorithms	SSH key exchange algorithms.	ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256	No
  VerifyHostKeyDNS	Specifies whether to verify HostKey files by using DNS or SSHFP.	ask	No

  NOTE:
  Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.

Other Security Suggestions

• The SSH service only listens on specified IP addresses.

  For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the /etc/ssh/sshd_config file.

  1. Open and modify the /etc/ssh/sshd_config file.

     vi /etc/ssh/sshd_config
     

     The following information indicates that the bound listening IP address is 192.168.1.100. You can change the listening IP address based on the site requirements.

     ...
     ListenAddress 192.168.1.100
     ...
     

  2. Restart the SSH service.

     systemctl restart sshd.service
     

• SFTP users are restricted from access to upper-level directories.

  SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:

  NOTE:
  In the following configurations, sftpgroup is an example user group name, and sftpuser is an example username.

  1. Create an SFTP user group.

     groupadd sftpgroup
     

  2. Create an SFTP root directory.

     mkdir /sftp
     

  3. Modify the ownership of and permission on the SFTP root directory.

     chown root:root /sftp
     chmod 755 /sftp
     

  4. Create an SFTP user.

     useradd -g sftpgroup -s /sbin/nologin sftpuser
     

  5. Set the password of the SFTP user.

     passwd sftpuser
     

  6. Create a directory used to store files uploaded by the SFTP user.

     mkdir /sftp/sftpuser
     

  7. Modify the ownership of and permission on the upload directory of the SFTP user.

     chown root:root /sftp/sftpuser
     chmod 777 /sftp/sftpuser
     

  8. Modify the /etc/ssh/sshd_config file.

     vi /etc/ssh/sshd_config
     

     Modify the following information:

     #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
     Subsystem sftp internal-sftp -l INFO -f AUTH
     ...
     
     Match Group sftpgroup                  
         ChrootDirectory /sftp/%u
         ForceCommand internal-sftp
     

     NOTE:

     • %u is a wildcard character. Enter %u to represent the username of the current SFTP user.
     • The following content must be added to the end of the /etc/ssh/sshd_config file:

       Match Group sftpgroup                    
         ChrootDirectory /sftp/%u  
         ForceCommand internal-sftp  
     

  9. Restart the SSH service.

     systemctl restart sshd.service
     

• Remotely execute commands using SSH.

  When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the -t option to the command. Example:

  ssh -t testuser@192.168.1.100 su
  

  NOTE:
  192.168.1.100 is an example IP address, and testuser is an example username.