Server

Version: 25.03

System Services

Hardening the SSH Service

Description

The Secure Shell (SSH) is a reliable security protocol for remote logins and other network services. SSH prevents information disclosure during remote management. SSH encrypts transferred data to prevent domain name server (DNS) spoofing and IP spoofing. OpenSSH was created as an open source alternative to the proprietary SSH protocol.

Hardening the SSH service is to modify configurations of the SSH service to set the algorithm and authentication parameters when the system uses the OpenSSH protocol, improving the system security. Table 1 describes the hardening items, recommended hardening values, and default policies.

Implementation

To harden a server, perform the following steps:

  1. Open the configuration file /etc/ssh/sshd_config of the SSH service on the server, and modify or add hardening items and values in the file.

  2. Save the /etc/ssh/sshd_config file.

  3. Run the following command to restart the SSH service:

    shell
    systemctl restart sshd

To harden a client, perform the following steps:

  1. Open the configuration file /etc/ssh/ssh_config of the SSH service on the client, and modify or add hardening items and values in the file.

  2. Save the /etc/ssh/ssh_config file.

  3. Run the following command to restart the SSH service:

    shell
    systemctl restart sshd

Hardening Items

  • Server hardening policies

    All SSH service hardening items are stored in the /etc/ssh/sshd_config configuration file. For details about the server hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 1.

    Table 1 SSH hardening items on a server

    Item

    Description

    Suggestion

    Configured as Suggested

    Protocol

    SSH protocol version.

    2

    Yes

    SyslogFacility

    Log type of the SSH service. The item is set to AUTH, indicating authentication logs.

    AUTH

    Yes

    LogLevel

    Level for recording SSHD logs.

    VERBOSE

    Yes

    X11Forwarding

    Specifies whether a GUI can be used after login using SSH.

    no

    Yes

    MaxAuthTries

    Maximum number of authentication attempts.

    3

    No

    PubkeyAuthentication

    Specifies whether public key authentication is allowed.

    yes

    Yes

    RSAAuthentication

    Specifies whether only RSA security authentication is allowed.

    yes

    Yes

    IgnoreRhosts

    Specifies whether the rhosts and shosts files are used for authentication. The rhosts and shosts files record the names of the servers that support remote access and related login names.

    yes

    Yes

    RhostsRSAAuthentication

    Specifies whether the RSA algorithm security authentication based on the rhosts file is used. The rhosts file records the names of the servers that support remote access and related login names.

    no

    Yes

    HostbasedAuthentication

    Specifies whether host-based authentication is used. Host-based authentication indicates that any user of a trusted client can use the SSH service.

    no

    Yes

    PermitRootLogin

    Specifies whether to allow user root to log in to the system using SSH.

    NOTE:

    If you want to log in to the system using SSH as user root, set the value of the PermitRootLogin field in the /etc/ssh/sshd_config file to yes.

    no

    No

    PermitEmptyPasswords

    Specifies whether accounts with empty passwords can log in.

    no

    Yes

    PermitUserEnvironment

    Specifies whether to resolve the environment variables set in ~/.ssh/environment and ~/.ssh/authorized_keys.

    no

    Yes

    Ciphers

    Encryption algorithm of SSH data transmission.

    aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com

    Yes

    ClientAliveCountMax

    Timeout count. After the server sends a request, if the number of times that the client does not respond reaches a specified value, the server automatically disconnects from the client.

    0

    No

    Banner

    File of the prompt information displayed before and after SSH login.

    /etc/issue.net

    Yes

    MACs

    Hash algorithm for SSH data verification.

    hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com

    Yes

    StrictModes

    Specifies whether to check the permission on and ownership of the home directory and rhosts file before SSH receives login requests.

    yes

    Yes

    UsePAM

    Specifies whether to use PAM for login authentication.

    yes

    Yes

    AllowTcpForwarding

    Specifies whether to allow TCP forwarding.

    no

    Yes

    Subsystem sftp /usr/libexec/openssh/sftp-server

    SFTP log record level, which records the INFO level and authentication logs.

    -l INFO -f AUTH

    Yes

    AllowAgentForwarding

    Specifies whether to allow SSH Agent forwarding.

    no

    Yes

    GatewayPorts

    Specifies whether SSH can connect to ports on the forwarding client.

    no

    Yes

    PermitTunnel

    Specifies whether Tunnel devices are allowed.

    no

    Yes

    KexAlgorithms

    SSH key exchange algorithms.

    curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

    Yes

    LoginGraceTime

    Time limit for users passing the authentication. 0 indicates no limit. The default value is 60 seconds.

    60

    No

    NOTE

    By default, the messages displayed before and after SSH login are saved in the /etc/issue.net file. The default information in the /etc/issue.net file is Authorized users only. All activities may be monitored and reported.

  • Client hardening policies

    All SSH service hardening items are stored in the /etc/ssh/ssh_config configuration file. For details about the client hardening items, hardening suggestions, and whether the hardening items are configured as suggested, see Table 2.

    Table 2 SSH hardening items on a client

    Item

    Description

    Suggestion

    Configured as Suggested

    KexAlgorithms

    SSH key exchange algorithms.

    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

    No

    VerifyHostKeyDNS

    Specifies whether to verify HostKey files by using DNS or SSHFP.

    ask

    No

    NOTE

    Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.

Other Security Suggestions

  • The SSH service only listens on specified IP addresses.

    For security purposes, you are advised to only listen on required IP addresses rather than listen on 0.0.0.0 when using the SSH service. You can specify the IP addresses that SSH needs to listen on in the ListenAddress configuration item in the /etc/ssh/sshd_config file.

    1. Open and modify the /etc/ssh/sshd_config file.

      shell
      vi /etc/ssh/sshd_config

      The following information indicates that the bound listening IP address is 192.168.1.100. You can change the listening IP address based on the site requirements.

      text
      ...
      ListenAddress 192.168.1.100
      ...
    2. Restart the SSH service.

      shell
      systemctl restart sshd.service
  • SFTP users are restricted from access to upper-level directories.

    SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:

    NOTE

    In the following configurations, sftpgroup is an example user group name, and sftpuser is an example username.

    1. Create an SFTP user group.

      shell
      groupadd sftpgroup
    2. Create an SFTP root directory.

      shell
      mkdir /sftp
    3. Modify the ownership of and permission on the SFTP root directory.

      shell
      chown root:root /sftp
      chmod 755 /sftp
    4. Create an SFTP user.

      shell
      useradd -g sftpgroup -s /sbin/nologin sftpuser
    5. Set the password of the SFTP user.

      shell
      passwd sftpuser
    6. Create a directory used to store files uploaded by the SFTP user.

      shell
      mkdir /sftp/sftpuser
    7. Modify the ownership of and permission on the upload directory of the SFTP user.

      shell
      chown root:root /sftp/sftpuser
      chmod 777 /sftp/sftpuser
    8. Modify the /etc/ssh/sshd_config file.

      shell
      vi /etc/ssh/sshd_config

      Modify the following information:

      text
      #Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
      Subsystem sftp internal-sftp -l INFO -f AUTH
      ...
      
      Match Group sftpgroup                  
          ChrootDirectory /sftp/%u
          ForceCommand internal-sftp

      NOTE

      • %u is a wildcard character. Enter %u to represent the username of the current SFTP user.
      • The following content must be added to the end of the /etc/ssh/sshd_config file:
      text
      Match Group sftpgroup
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp
    9. Restart the SSH service.

      shell
      systemctl restart sshd.service
  • Remotely execute commands using SSH.

    When a command is executed remotely through OpenSSH, TTY is disabled by default. If a password is required during command execution, the password is displayed in plain text. To ensure password input security, you are advised to add the -t option to the command. Example:

    shell
    ssh -t testuser@192.168.1.100 su

    NOTE

    192.168.1.100 is an example IP address, and testuser is an example username.