After having hardened Apache during the previous post over here, we’ll take a look at OpenSSH.

Why ?

‘Cause if you secure your web server, it’s good to enforce some “good” rules on your SSH server too, unless securing your web server would be pointless

Content

In order to set up a “hardened” OpenSSH, just edit your /etc/ssh/sshd_config, after having backup’ed your current configuration (cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup), and paste the following (please, do adapt it to what you actually need / want) :

# You should set another port here
Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_ed25519_key

UsePrivilegeSeparation yes

# If you run a Debian distribution...
DebianBanner no

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 120
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

RSAAuthentication no
PubkeyAuthentication yes
# Should be set to `no`
PasswordAuthentication yes

IgnoreRhosts yes
HostbasedAuthentication no

PermitEmptyPasswords no
ChallengeResponseAuthentication no

X11Forwarding no
AllowTcpForwarding no

PrintMotd no
PrintLastLog yes
TCPKeepAlive yes

PermitUserEnvironment no
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UseDNS yes
UsePAM yes

# If you want to limit the connection to specific users (or groups) from specific networks...
AllowUsers root@192.168.0/24
AllowGroups ssh@192.168.0/24

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

Once you have adapted and paste the content above, you’ll have to get rid of the moduli the less secure.
In order to achieve this, please copy / paste the BASH snippet below (taken and one-line’d from here) :

cd /etc/ssh/
if [[ -e ./moduli ]]; then cp moduli moduli.backup && awk '$5 > 2000' moduli > moduli.tmp; if [[ $(wc -l moduli.tmp | cut -d ' ' -f 1) -ne 0 ]]; then mv moduli.tmp moduli; else echo "No secure Moduli available..."; fi; else ssh-keygen -G moduli.all -b 4096 && ssh-keygen -T moduli.safe -f moduli.all && mv moduli.safe moduli && rm moduli.all; fi

Let’s do the same with your keys ( DANGEROUS OPERATION ) :

rm ssh_host_*key*
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null

Now, you have to manually add the sessions that will have the right to connect through SSH :

(# addgroup ssh)
# usermod -G ssh <yourSession>

Only if you went through all the previous actions correctly, you can check your OpenSSH configuration with :

# sshd -t

If it’s okay too, you may now reload the SSH daemon :

(# service ssh reload)
# systemctl reload ssh

Now DON’T CLOSE YOUR CURRENT REMOTE SESSION, and try to open a new one

Also, if everything is still okay, you can delete the old backups !

# rm {sshd_config,moduli}.backup

---

EDIT 2017-11-26 : I’ve done the same thing for my OpenSSH Client, you should take a look at it over here !

---

Sources

• Default OpenSSH ssh[d]_config files packaged in Debian

• Hardening OpenSSH

• OpenSSH Security and Hardening

• Secure Secure Shell

• CryptCheck

• Security/Guidelines/OpenSSH

• How To Configure Custom Connection Options for your SSH Client

• Recommandations pour un usage sécurisé d’(Open)SSH (ANSSI)

• Upgrade your SSH keys!