Secure SSH server

By Roger, Tue 06 October 2020, in category Software

config, security, ssh

This is a small tutorial for a secure SSH server. Although SSH servers are very secure, the default configuration is not always the best practice.

Configuration

Replace the file /etc/ssh/sshd_config with the content below:

Protocol                2
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication  no
PermitRootLogin         no
AllowTcpForwarding      no
X11Forwarding           no
Subsystem               sftp    /usr/libexec/sftp-server
KexAlgorithms           curve25519-sha256@libssh.org
HostKey                 /etc/ssh/ssh_host_ed25519_key
Ciphers                 aes256-gcm@openssh.com,aes256-ctr
MACs                    hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
AllowUsers              yourusername anotherusername

This will deny almost everything. Especially clear password login's are forbidden and only allowed users may login. Together with only allowing elliptic curve and special ciphers, SSH scanners on the internet have a hard time. Most scanners only use old ciphers and MACs, so it's not going to work. The AllowUser option make sure you don't allow a system user access by accident. If you want to give a user some more right, add the options below and change to your own needs. This example allows a user to login and make a portforward to the local port 80 without getting a shell.

Match User yourusername
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

After changing the configuration, restart your server. Especially, restart from the console, not over an SSH connection. Normally your old connection should stay alive over a restart, but you never know...

service sshd restart

Generating your SSH keys

You can make a secure SSH key on your client (NOT on the server!!!) by the next command:

ssh-keygen -t ed25519

You can find your public key in ~/.ssh/id_ed25519.pub. Copy the content to your server in the file ~/.ssh/authorized_keys. Now you can make a SSH connection to your secure SSH server.