Comments on OpenSSH Security Best Practices

SSH (Secure Shell) is a cryptographic network protocol for initiating text-based shell sessions on remote machines in a secure way. OpenSSH is a connectivity tool that most administrators rely on to work on their Linux and *BSD servers daily. This tutorial covers the best pratices to configure your SSH server securely.

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Keith Day
Reply  

What is "zuthentication"?

By: Lee
Reply  

A better practise, don't allow password based logins. Once setup and one or more admins have access then disable password based logins and only allow key based.

By: LSW
Reply  

Changing the port is a good idea to deter script-kiddies, but does not really add much to security.

By: Curtis
Reply  

Nice article.  I have a few quick things to add that might help people out.

You can legitimately have multiple listening ports listed in sshd_config.  This can allow one to use the default port 22 within the local network, but only forward a non-standard port through their firewall.  (Of course, one could also redirect a high port to 22)

You can also use socket activation to start sshd.  So if using systemd, you can enable the sshd.socket file instead.  But if one chooses this method, they should be aware that the listening port it then determined by the sshd.socket unit file, while the Port line in sshd_config is ignored.

By default both ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 can be used for authorized ssh keys.  Users might want to consider expicitly enabling only one file.

Not all distributions have ssh-copy-id included.  But it is basically just a script that writes the contents of the chosen ~/.ssh/*.pub key to the authorized keys file.  This can also be done manually.

...and just a nitpick... with the AuthorizedKeysFile option, the path default is relative to a user's home directory.  So you don't have the use %h/.ssh/authorized_keys and can instead simply use .ssh/authorized_keys.

By: big
Reply  

Thanks for the tutorial.

By: Anonymous
Reply  

Using ports above 1024 is dangerous as those are non privilidged ports (anyone can bind to them). A malicious user could crash SSH daemon and launch a compromised one on the same port. Do NOT use ports above 1024 for SSH daemons.

By: Jay
Reply  

I agree, changing the port adds little to security.  Better to leave on the default port, and limit access using iptables.  No mention of setting specific MACs.

MACS hmac-sha2-256,hmac-sha1,hmac-sha2-512

By: JohnP
Reply  

Using passwords for ssh access is a failure if retained after the first 5 minutes.  No passwords should be used/allowed for ssh. Always use keys for ssh, scp, sftp.

No mention of denyhosts or fail2ban? 

By: Trust Me
Reply  

I think @Anonymous has a point in not using ports above 1024 for the sshd daemon.

Further I recommend reading the following article as an afterthought:

https://stribika.github.io/2015/01/04/secure-secure-shell.html