Advanced SSH Configuration and Security Best Practices

Posted on by Lee Painter

SSH (Secure Shell) is a critical tool for securing remote connections, enabling administrators and developers to access and manage remote servers securely. While SSH is inherently secure, advanced configuration can significantly enhance its security posture. This article delves into advanced SSH configurations and best practices to ensure robust security.

1. Key-Based Authentication

One of the most fundamental and practical ways to secure SSH is using key-based authentication instead of passwords. This method involves generating a pair of cryptographic keys: a private key, which you keep secure, and a public key, which you place on the Server.

Steps to Configure Key-Based Authentication:

  1. Generate SSH Key Pair:
   ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

This command generates a 4096-bit RSA key pair.

  1. Copy the Public Key to the Server:
   ssh-copy-id user@remote_server

Alternatively, manually add the public key (~/.ssh/id_rsa.pub) to the Server’s ~/.ssh/authorized_keys file.

  1. Configure SSH to Use Key-Based Authentication:
    Ensure the following lines are present and uncommented in the /etc/ssh/sshd_config file:
   PubkeyAuthentication yes
   PasswordAuthentication no
  1. Restart SSH Service:
   sudo systemctl restart ssh

2. Disabling Root Login

Allowing root login over SSH poses a significant security risk. It’s best practice to turn off root login and instead use sudo or su to escalate privileges when necessary.

Steps to Disable Root Login:

  1. Edit the SSH Configuration File:
   sudo nano /etc/ssh/sshd_config
  1. Change the PermitRootLogin Directive:
   PermitRootLogin no
  1. Restart SSH Service:
   sudo systemctl restart ssh

3. Limiting User Access

Restricting SSH access to specific users or groups minimizes the attack surface.

Steps to Limit User Access:

  1. Edit the SSH Configuration File:
   sudo nano /etc/ssh/sshd_config
  1. Add AllowUsers or AllowGroups Directives:
   AllowUsers user1 user2
   AllowGroups sshusers
  1. Restart SSH Service:
   sudo systemctl restart ssh

4. Using SSH Configurations for Multiple Profiles

Using SSH configuration files for administrators managing multiple servers can simplify access and enhance security.

Steps to Use SSH Configurations:

  1. Edit the SSH Config File:
   nano ~/.ssh/config
  1. Add Server Profiles:
   Host server1
       HostName server1.example.com
       User user1
       IdentityFile ~/.ssh/id_rsa_server1

   Host server2
       HostName server2.example.com
       User user2
       IdentityFile ~/.ssh/id_rsa_server2

5. Configuring SSH Timeouts and Connection Limits

Setting timeouts and connection limits can prevent resource exhaustion and reduce the risk of unauthorized access.

Steps to Configure Timeouts and Limits:

  1. Edit the SSH Configuration File:
   sudo nano /etc/ssh/sshd_config
  1. Add or Modify the Following Directives:
   ClientAliveInterval 300
   ClientAliveCountMax 2
   MaxAuthTries 3
   MaxSessions 2
  1. Restart SSH Service:
   sudo systemctl restart ssh

6. Implementing Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring a second form of verification.

Steps to Implement 2FA with Google Authenticator:

  1. Install Google Authenticator on the Server:
   sudo apt-get install libpam-google-authenticator
  1. Configure Google Authenticator:
   google-authenticator

Follow the prompts to set up the authenticator and generate a QR code.

  1. Update PAM Configuration:
   sudo nano /etc/pam.d/sshd

Add the following line:

   auth required pam_google_authenticator.so
  1. Update SSH Configuration:
   sudo nano /etc/ssh/sshd_config

Ensure the following line is present:

   ChallengeResponseAuthentication yes
  1. Restart SSH Service:
   sudo systemctl restart ssh

7. Enforcing Strong Ciphers and Algorithms

To ensure the highest level of security, enforce strong ciphers and algorithms.

Steps to Enforce Strong Ciphers and Algorithms:

  1. Edit the SSH Configuration File:
   sudo nano /etc/ssh/sshd_config
  1. Specify Strong Ciphers and Algorithms:
   Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
   MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
  1. Restart SSH Service:
   sudo systemctl restart ssh

Conclusion

Implementing these advanced SSH configurations and best practices can significantly enhance the security of your SSH servers. Key-based authentication, turning off root login, limiting user access, using configuration files, setting timeouts, implementing 2FA, and enforcing strong ciphers are all crucial steps in securing your SSH environment. Regularly reviewing and updating these settings will help maintain a robust security posture.