Essential sshd_config Hardening

2 min read Data Protection & Compliance

Essential sshd_config Hardening

The SSH daemon configuration file (/etc/ssh/sshd_config) controls server behavior and security policies. Properly configuring this file eliminates common vulnerabilities and enforces strong security practices.

Create a backup before making changes:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)

Implement core security settings:

# /etc/ssh/sshd_config
# Security-focused SSH server configuration

# Network and Protocol Settings
Port 22  # Consider changing to non-standard port
AddressFamily inet  # IPv4 only, use 'any' for IPv4+IPv6
ListenAddress 0.0.0.0  # Specify interface if multiple available
Protocol 2  # Never use Protocol 1

# Authentication Settings
PermitRootLogin no  # Never allow direct root login
PubkeyAuthentication yes  # Enable key-based authentication
PasswordAuthentication no  # Disable password authentication
PermitEmptyPasswords no  # Never allow blank passwords
ChallengeResponseAuthentication no  # Disable challenge-response
UsePAM yes  # Enable PAM for additional security features

# Key and Cipher Configuration
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key  # RSA for compatibility

# Modern cipher suite (remove weak algorithms)
Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr

# Strong MAC algorithms
MACs [email protected],[email protected],[email protected]

# Secure key exchange algorithms
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

# User Access Control
AllowUsers alice bob charlie  # Whitelist specific users
# Alternative: AllowGroups ssh-users
DenyUsers root admin guest  # Explicitly deny users
# DenyGroups nossl

# Connection Settings
ClientAliveInterval 300  # 5 minutes
ClientAliveCountMax 2  # Disconnect after 10 minutes idle
MaxAuthTries 3  # Limit authentication attempts
MaxSessions 10  # Limit concurrent sessions
TCPKeepAlive yes  # Detect broken connections

# Security Restrictions
StrictModes yes  # Check file permissions
IgnoreRhosts yes  # Ignore .rhosts files
HostbasedAuthentication no  # Disable host-based auth
PermitUserEnvironment no  # Don't read user environment
X11Forwarding no  # Disable X11 forwarding (enable if needed)
PrintMotd no  # Disable motd to reduce information leakage
PrintLastLog yes  # Show last login
PermitTunnel no  # Disable tunneling (enable if needed)

# Logging Configuration
LogLevel VERBOSE  # Detailed logging for security monitoring
SyslogFacility AUTH  # Log to auth facility

# Banner Configuration
Banner /etc/ssh/banner.txt  # Warning banner

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

Test configuration before applying:

# Validate configuration syntax
sudo sshd -t

# Test configuration in debug mode
sudo sshd -T | less

# Apply configuration
sudo systemctl reload sshd