In this post I’ve collected some tips to harden the default OpenSSH configuration on an Ubuntu LTS server. SSH protocol is usually used to connect to a remote machine securely. There are a lot of configuration options which can be used to make a server more secure. Disabling some features can help too if they are not needed.

Create a root user

If your server was found by some scanning tool probably the root user account will be tried to be attacked with some brute force attack. To make it harder to gain access it is usually advised to create some other user and to disable the remote login for the root user. Let’s start by creating a new user 'myuser' and add sudo rights to it with these two commands:

adduser myuser
usermod -aG sudo myuser

The commands should be executed as the root user.

If the same ssh key will be used to login which was added to the root user copy that and change the ownership and group attributes of the file to the newly created user:

mkdir -p /home/myuser/.ssh
cp .ssh/authorized_keys /home/myuser/.ssh/
chown -R myuser:myuser /home/myuser/.ssh/

After setting up the ssh keys test the key based login with the new user.

Configure the OpenSSH server.

In the next steps the default OpenSSH configuration file will be changed to make the remote login more secure. The file can be found here /etc/ssh/sshd_config. Sudo rights will be needed to modify the content of the file.

sudo vim /etc/ssh/sshd_config

Disable remote login for the root user

It is important to setup and test the login to the server with the new user before disabling the remote root login!

After creating the new user the login can be disabled for the root user: In the previous steps a new non root user was created and the remote login was checked so the remote root login can be disabled.

PermitRootLogin no

Additionally the login will be allowed only for the newly created user setting this configuration option:

AllowUsers myuser

Disable password based login for all of the users

If password based login was used switching it to a ssh-key based login can help with the password brute force attacks. I will not go into the details here how to setup and create the keys the Archlinux wiki has a great page about it.

Do not forget to setup and test ssh key based login before disabling password based login!

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
# Disable empty passwords
PermitEmptyPasswords no

X11 protocol was not built with security in mind and it is not required now so it can be disabled.

X11Forwarding no

In case of an unattended ssh session the server will close the connection after being inactive for 5 minutes.

ClientAliveInterval 300
ClientAliveCountMax 0

Change default ssh port number

The default port number 22 is well known and every automatic port scanner will try this port to see if there is any service listening there. A list of the well known ports can be found here. Changing the default port can reduce the automated authentication attempts but will not eliminate them. Let’s set it to something different:

Port 23422

The remote ssh login attempts can be checked in the /var/log/auth.log file. Keeping the default port I many login attempts with root, admin, news, test… user names.

Test the configuration before applying it

After setting the new configuration options it is important to test if there are any errors in the file. The sshd command has multiple options to test the configuration file for errors:

$ sudo sshd -t
# extended test mode
$ sudo sshd -T

The commands will print out if there is some invalid configuration entries in the file.

Restart the OpenSSH daemon

When the configuration is ready the ssh daemon can be restarted like this:

sudo systemctl restart sshd.service

Wrap-up

The mentioned configuration changes can make the login process to the server more secure. There are a lot more configuration options but I think this is a good start. There are audit tools like ssh-audit, Lynis to check the SSH client or server configuration but I did not test them yet. To further improve the security 2FA can be configured for the ssh server too.
In the next post I will write how to configure the Uncomplicated Firewall (UFW), which makes managing the iptables configuration easier to filter network packets.

Resources

Here is a collection of resources worth reading about the OpenSSH server configuration:

• https://www.openssh.com/manual.html
• https://man.openbsd.org/sshd_config
• https://wiki.archlinux.org/index.php/OpenSSH
• https://infosec.mozilla.org/guidelines/openssh
• https://linux-audit.com/audit-and-harden-your-ssh-configuration/
• https://github.com/trimstray/the-practical-linux-hardening-guide/wiki/OpenSSH
• https://docs.hardentheworld.org/Applications/OpenSSH/
• https://securitytrails.com/blog/mitigating-ssh-based-attacks-top-15-best-security-practices