Introduction
Linux servers are often administered remotely via SSH by connecting to an OpenSSH server, the default SSH server software for Ubuntu, Debian, CentOS, FreeBSD, and most Linux/BSD-based systems.
OpenSSH server, also known as the SSH daemon or sshd, allows remote management through an OpenSSH client using the ssh command. Securing your OpenSSH server is crucial, as it serves as the primary access point to your server.
In this guide, you will harden your OpenSSH server by configuring options to enhance security.
Prerequisites
To follow this guide, you will need:
- An Ubuntu 20.04 server with a non-root sudo user.
- Log in to your server as the non-root user to begin.
Step 1 — General Hardening
To begin, you will implement initial hardening configurations to secure your SSH server.
The configurations outlined here offer general security suitable for most servers. However, they can be further tailored based on your own threat model.
Backup Existing Configuration
First, back up your current SSH configuration file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakReview Default SSH Configuration
To view the current default OpenSSH settings, run:
sudo sshd -TEdit the OpenSSH Configuration
Next, open the configuration file for editing:
sudo nano /etc/ssh/sshd_configThe following hardening options should be applied:
-
Disable root login: Set
PermitRootLogintonoto prevent root logins:PermitRootLogin no -
Limit authentication attempts: Set
MaxAuthTriesto 3:MaxAuthTries 3 -
Reduce login grace time: Set
LoginGraceTimeto 20 seconds:LoginGraceTime 20 -
Disable password authentication: If using SSH keys, disable password authentication:
PasswordAuthentication no -
Disable empty passwords: Prevent logins with empty passwords:
PermitEmptyPasswords no -
Disable unnecessary authentication methods:
ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no -
Disable X11 forwarding:
X11Forwarding no -
Disallow user environment variables:
PermitUserEnvironment no -
Disable forwarding and tunneling:
AllowAgentForwarding no AllowTcpForwarding no PermitTunnel no -
Disable verbose SSH banner:
DebianBanner no
After editing, validate the configuration file:
sudo sshd -tIf there are no errors, reload the SSH daemon to apply changes:
sudo systemctl reload sshd.serviceStep 2 — Implementing an IP Address Allowlist
You can limit access to your server by implementing an IP address allowlist.
Identify Your Current IP Address
Run the following command to view your current IP address:
wEdit the Configuration
To restrict user access to specific IP addresses, add the following to the SSH configuration file:
AllowUsers *@localhostTest and apply the configuration:
sudo sshd -t
sudo systemctl reload sshd.serviceStep 3 — Restricting User Shell Access
You can restrict specific users to SFTP-only access or disable interactive shell access.
Create a User with Restricted Shell
To create a new user with no interactive shell access:
sudo adduser --shell /usr/sbin/nologin userConfigure SFTP-Only Access
Edit the SSH configuration to restrict the user account to SFTP:
Match User user
ForceCommand internal-sftp
ChrootDirectory /home/user/Validate and reload the configuration:
sudo sshd -t
sudo systemctl reload sshd.serviceStep 4 — Advanced Hardening
Further harden your OpenSSH server by applying per-key restrictions in the .ssh/authorized_keys file.
Edit Authorized Keys File
To restrict features for specific SSH keys, add the following options to the beginning of the key line in ~/.ssh/authorized_keys:
no-agent-forwarding,no-X11-forwarding ssh-rsa AAAB...Alternatively, use the restrict option to block all features by default:
restrict,command="false" ssh-rsa AAAB...This concludes the advanced hardening steps.
Conclusion
You have now applied several hardening measures to your OpenSSH server, reducing its attack surface and enhancing security.