Before Beginning

  • Backup your /etc/ssh/sshd_config file before making any changes
  • For more detailed info on the options in this guide check the sshd_config man page man sshd_config
  • Do not blindly set these security settings design them around your environments security policy

Step 1: Disable Root Login

Before disabling PermitRootLogin make sure you have an generic user account setup for ssh access

Step 2: Only use SSH Protocol version 2

Step 3: Configure SSH to ignore .rhosts and .shosts

You should not be using .rhosts or .shosts anyway

Step 4: Configure LoginGraceTime

If using SSH keys you can set this option to 1 for 1 second.

Step 4: Disable PasswordAuthenticaton

Before disabling PasswordAuthenticaton make sure you have ssh keys setup properly and you have access to some sort of console for emergencies.

Step 5: Set LogLevel to INFO.

Unless you are debugging SSH set log level to INFO to only capture authentication information and disconnects

Step 6: Configure MaxAuthTries appropriately.

If you are using SSH keys there is no reason to have this any higher than 1

Step 7: Enable IgnoreRhosts

Step 8: Disable HostbasedAuthentication

Step 9: Configure SSH to use strong Ciphers

Step 10: Configure ClientAliveInterval for your environment

Step 11: Disable `PermitEmptyPasswords

Obvious

Step 12: Bind SSH to specific ip address

By default SSH listens on all interfaces 0.0.0.0. Your environment may have multiple interfaces and all of them my not need ssh listening on them.

Step 12: Configure an login banner

Your company may have a specific legal banner you have to use or you can come up with your. This is not as much an security measure as it's a warning/COA message.

Optional

  • You can configure AllowUsers, DenyUers, AllowGroups and DenyGroups in the /etc/ssh/sshd_config file. This does exactly as it sounds and allows or denies specific users or groups from accessing the system.

Notes

  • After all changes have been made be sure to restart your SSH server

References