System Services
Hardening the SSH Service
Description
The Secure Shell (SSH) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server (DNS) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol.
Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. Table 1 describes the hardening items, recommended hardening values, and default policies.
Implementation
To harden a server, perform the following steps:
Open the configuration file /etc/ssh/sshd_config of the SSH service on the server, and modify or add hardening items and values in the file.
Save the /etc/ssh/sshd_config file.
Run the following command to restart the SSH service:
systemctl restart sshd
To harden a client, perform the following steps:
- Open the configuration file /etc/ssh/ssh_config of the SSH service on the client, and modify or add hardening items and values in the file.
- Save the /etc/ssh/ssh_config file.
Hardening Items
Server hardening policies
All SSH service hardening items are stored in the /etc/ssh/sshd_config configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 1.
Table 1 SSH hardening items on a server
NOTE: By default, the messages displayed before and after SSH login are saved in the /etc/issue.net file. The default information in the /etc/issue.net file is Authorized users only. All activities may be monitored and reported.
Client hardening policies
All SSH service hardening items are stored in the /etc/ssh/ssh_config configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 2.
Table 2 SSH hardening items on a client
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Specifies whether to verify HostKey files by using DNS or SSHFP.
NOTE: Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.
Other Security Suggestions
The SSH service only listens on specified IP addresses.
For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the /etc/ssh/sshd_config file.
Open and modify the /etc/ssh/sshd_config file.
vi /etc/ssh/sshd_config
The following information indicates that the bound listening IP address is 192.168.1.100. You can change the listening IP address based on the site requirements.
... ListenAddress 192.168.1.100 ...
Restart the SSH service.
systemctl restart sshd.service
SFTP users are restricted from access to upper-level directories.
SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:
NOTE: In the following configurations, sftpgroup is an example user group name, and sftpuser is an example username.
Create an SFTP user group.
groupadd sftpgroup
Create an SFTP root directory.
mkdir /sftp
Modify the ownership of and permission on the SFTP root directory.
chown root:root /sftp chmod 755 /sftp
Create an SFTP user.
useradd -g sftpgroup -s /sbin/nologin sftpuser
Set the password of the SFTP user.
passwd sftpuser
Create an SFTP user directory.
mkdir /sftp/sftpuser
Modify the ownership of and permission on the SFTP user directory.
chown root:root /sftp/sftpuser chmod 777 /sftp/sftpuser
Create a directory used to store files uploaded by the SFTP user.
mkdir /sftp/sftpuser/sftpupload
Modify the ownership of the upload directory of the SFTP user.
chown sftpuser:sftpgroup /sftp/sftpuser/sftpupload
Modify the /etc/ssh/sshd_config file.
vi /etc/ssh/sshd_config
Modify the following information:
#Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH Subsystem sftp internal-sftp -l INFO -f AUTH ... Match Group sftpgroup ChrootDirectory /sftp/%u ForceCommand internal-sftp
NOTE:
%u is a wildcard character. Enter %u to represent the username of the current SFTP user.
The following content must be added to the end of the /etc/ssh/sshd_config file:
Match Group sftpgroup ChrootDirectory /sftp/%u ForceCommand internal-sftp
Restart the SSH service.
systemctl restart sshd.service
Remotely execute commands using SSH.
When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the -t option to the command. Example:
ssh -t testuser@192.168.1.100 su
NOTE: 192.168.1.100 is an example IP address, and testuser is an example username.