#Linux #Harden #SSH

Secure shell

22 April 2025 •

4 min read • 4 views

Configure and secure your ssh access.

Configure and secure your ssh access.

Test security

For this tuto, to test the security of SSH, we use two scripts [Lynis] and [ssh-audit] available in many Linux distro.

We also look tips from https://www.ssh-audit.com/hardening_guides.html

Run audit tools

To check what need to be modified, start the following script.

ssh-audit:

ssh-audit localhost:22

Lynis:

lynis audit system

Final Config

Create a new linux group 'ssh-group'

groupadd ssh-user
usermod -a -G ssh-user <username>

Recreate ssh key generated by default, RSA used can be 2048 or worse.

rm /etc/ssh/ssh_host_*
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""

Remove small Diffie-Hellman moduli

awk '$5 >= 3071' /etc/ssh/moduli > /tmp/ssh_moduli.safe
mv /tmp/ssh_moduli.safe /etc/ssh/moduli
chmod 644 /etc/ssh/moduli

sshd_config

$EDITOR /etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

RequiredRSASize 3072

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

#
# With Lynis
#
AllowTcpForwarding no
ClientAliveCountMax 2
ClientAliveInterval 0
FingerprintHash sha256 # (default)
GatewayPorts no # (default)
IgnoreRhosts yes # (default)
LoginGraceTime 120 # (default)
LogLevel VERBOSE
MaxAuthTries 3
MaxSessions 2
PermitRootLogin no
PermitUserEnvironment no # (default)
PermitTunnel no # add yes for ethernet, tun or point-to-point
Port 22 # Could/Should? be changed
PrintLastLog yes
StrictModes yes # (default)
TCPKeepAlive no
UseDNS no # (default)
X11Forwarding no
AllowAgentForwarding no
#AllowUsers # no need if use AllowGroups
AllowGroups ssh-user
Compression no

ssh_config

$EDITOR /etc/ssh/ssh_config

Host *
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-gcm@openssh.com,aes128-ctr
    KexAlgorithms sntrup761x25519-sha512@openssh.com,gss-curve25519-sha256-,curve25519-sha256,curve25519-sha256@libssh.org,gss-group16-sha512-,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
    MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
    RequiredRSASize 3072
    HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
    CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
    GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
    HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
    PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

Restart ssh service

With systemd:

systemctl restart sshd

No connected to write comment