System-Level Hardening

2 min read Data Protection & Compliance

System-Level Hardening

SSH security depends on the underlying system security. Implement system-level hardening measures that complement SSH-specific configurations and create a secure foundation for SSH services.

Apply kernel security parameters:

# /etc/sysctl.d/99-ssh-hardening.conf
# Kernel parameters for SSH hardening

# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable ICMP ping requests
net.ipv4.icmp_echo_ignore_all = 1

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable ExecShield
kernel.exec-shield = 1
kernel.randomize_va_space = 2

# Increase TCP backlog
net.ipv4.tcp_max_syn_backlog = 2048
net.core.netdev_max_backlog = 3240000

Implement PAM hardening for SSH:

# /etc/pam.d/sshd
# Hardened PAM configuration for SSH

# Account lockout after failed attempts
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

# Standard authentication
@include common-auth

# Strong password requirements
password requisite pam_pwquality.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

# Account management
account required pam_nologin.so
account include common-account

# Session requirements
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include common-session
session required pam_limits.so

# Create home directory if needed
session optional pam_mkhomedir.so

# Log session information
session optional pam_exec.so /usr/local/bin/log-ssh-session