Security for everyone
Homepage Blog
How To
Whitepapers
 Login Join
For Companies
Hardening
Research

6 Best Practices for Hardening Your OpenSSH Server

SecurityForEveryone

S4E.io

27/Dec/24

OpenSSH is a powerful tool for secure remote access to your servers, but leaving it at default settings can expose your system to vulnerabilities. Follow these essential steps to harden your OpenSSH server and protect it from potential threats.

1- Disable Password Authentication

Passwords can be cracked by brute force attacks or guessed by ssh key stroke timing attack.To increase system security, implement key-based authentication by disabling password authentication on your OpenSSH server.If you are using Cloud servers like Amazon AWS, you can ignore this section.

Steps to Disable Password Authentication:

  • Generate a key pair on your local machine and copy the public key to the server
ssh-keygen -t ed25519
ssh-copy-id user@your-server
  • Open the /etc/ssh/sshd_config file and modify the following setting:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
# PermitEmptyPasswords no
  • In the same configuration file, activate public key authentication, as it provides a more secure alternative to password-based login:
# MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be used by SSH
  • Restart the SSH service:
sudo systemctl restart sshd

Note: ECDSA (Elliptic Curve Digital Signature Algorithm) offers better performance than RSA at equivalent symmetric key strength. It also generates shorter keys. The Ed25519 public key algorithm is an implementation of twisted Edwards curves, which is more secure and also faster than RSA, DSA and ECDSA.

Use the following command to generate an Ed25519 key:

ssh-keygen -t ed25519

2- Change the Default SSH Port

Sshd’s default port is 22. Changing this habit can make it harder for attackers. You can change this setting in the sshd_config file. Don’t forget to update your firewall settings accordingly.

Include /etc/ssh/sshd_config.d/*.conf
# Port 22
# Address Family any

3- Disable the ability to access as root

Make sure that the user you are accessing is sudoers. It is a security enhancing method to disable logging in directly as the root user over the SSH connection.Attackers can guess the username more easily and can have everything if they access it.In the same configuration file, you need to do the following:

# LoginGraceTime 2m
PermitRootLogin no
# StrictModes yes

4- Restrict SSH Access

Restricting SSH access to specific users, groups or IP ranges is an effective security measure. Especially if you are accessing from a specific IP address, using this method will protect you from potential security risks. By adding the AllowUsers directive to the sshd_config file, we can prepare a whitelist as follows. When the following setting is made, only devices with ip address 192.168.1.0/24 or 10.0.0.0/24 will be able to access

AllowUsers *@192.168.1.* *@10.0.0.*

5- Limit Maximum SSH Sessions

Depending on your needs, try to keep the maximum number of sessions as low as possible, so that it will be easier to understand what is going on from the logs if something goes wrong.You can update the sshd_config file as follows.

# MaxAuthTries 6
MaxSessions 1

6- Restrict Failed Password Attempts

If you haven’t set the password login setting, you should keep the password attempt restriction setting as low as possible. This is a good measure to prevent brute force attacks. If you set this setting as follows (found in the sshd_config file), the connection will be terminated on every wrong attempt. 

#StrictModes yes
MaxAuthTries 1

What is OpenSSH?

OpenSSH (Open Secure Shell) is a set of tools for securely accessing and managing remote systems. OpenSSH uses the SSH (Secure Shell) protocol to provide particularly secure communication. Its main function is to connect to remote servers or devices through encrypted connections, thus ensuring authentication, data confidentiality and data integrity.

Some basic components of OpenSSH are:

  • SSH client (ssh): Used to securely connect to a remote machine.
  • SSH server (sshd): A server-side application that works for remote users to connect.
  • SCP: It is a command used to transfer files over SSH.
  • SFTP: Another protocol for secure file transfer over SSH.
  • SSH Switches: SSH supports logging in using a pair of keys (private and public) that can be used instead of a password.

Vulnerabilities Discovered in OpenSSH

  • Since it is a widely used software worldwide and is of great importance in terms of security, a lot of research has been done on it, vulnerabilities have been found and fixed.
  • If you want to find out how many vulnerabilities have been found in which version of OpenSSH and what these vulnerabilities are, you can go to the link below. If you click on the numbers in the Vulnerabilites column, it will redirect to the relevant vulnerabilities.
    https://www.cvedetails.com/version-list/97/585/1/Openbsd-Openssh.html
Table displaying OpenSSH version vulnerabilities, categorized by version, language, update, edition, target platform, and the number of identified vulnerabilities. Useful for assessing security risks in various OpenSSH releases.
  • Table of vulnerabilities found by year according to impact types: ,
Table showcasing OpenSSH vulnerabilities from 2014 to 2024, categorized by impact types: Code Execution, Bypass, Privilege Escalation, Denial of Service, and Information Leak. Highlights include peaks in Denial of Service (4 vulnerabilities in 2016) and recent Code Execution vulnerabilities in 2023 and 2024. A total summary at the bottom shows the highest occurrence in Denial of Service (8 vulnerabilities), emphasizing evolving cybersecurity challenges.

Related posts:

  1. Secure Software Development: SSDLC in Software Development
  2. Top 8 List of Open Source Web Crawlers Tools in 2021
  3. Why Is Cyber Insurance Important for Your Company?
  4. Disaster Recovery Checklist for Your Business
cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture