OpenSSH Hardened Server Configuration and how to hardening ?

Before implementing any SSH hardening tips, it is important to thoroughly review each one and evaluate if they are necessary for your specific use case. Not all tips may be applicable or compatible with each other. Blindly following all tips may not be the best approach to hardening your SSH server.

SSH server hardening is particularly important because SSH (Secure Shell) is a critical component of secure system administration. SSH is a protocol that allows users to securely log into a remote system and perform administrative tasks. Hardening the SSH server helps to ensure that remote access to the system is secure and that only authorized users can access the system.

Here are some reasons why SSH server hardening is important:

1. Preventing unauthorized access: SSH server hardening helps to prevent unauthorized access to the system by restricting access to authorized users only. This can help to prevent attacks such as password guessing or brute-force attacks.

2. Securing remote administration: Many system administrators use SSH to remotely administer servers. Hardening the SSH server helps to ensure that remote administration is secure and that sensitive data and system configurations are protected.

3. Complying with regulations: Many regulations require organizations to secure remote access to systems. SSH server hardening can help organizations comply with these regulations.

4. Mitigating attacks: SSH server hardening can help to mitigate attacks such as man-in-the-middle attacks, which can intercept SSH traffic and compromise the security of the system.

Overall, SSH server hardening is critical for securing remote access to systems and protecting sensitive data and system configurations. By hardening the SSH server, organizations can help to ensure that remote access to their systems is secure and that only authorized users can access the system.

The above lines are a configuration file for an OpenSSH server and set various settings for the server's operation. Here is a brief explanation of each line:

SSH configuration file location  `/etc/ssh/sshd_config`

1. AllowAgentForwarding no : This setting disallows the forwarding of authentication agents to remote systems.

2. AllowGroups ssh_group : Specifies a group of users who are allowed to connect to the SSH server.

3. AllowStreamLocalForwarding no : Disallows stream local forwarding.

4. AllowTcpForwarding no : Disallows TCP forwarding.

5. AllowUsers User1 User2 : Specifies the list of users who are allowed to connect to the SSH server.

6. ChallengeResponseAuthentication no : Disables challenge-response authentication.

7. ClientAliveCountMax 2 : Specifies the maximum number of client alive messages the server will send without receiving a response from the client before terminating the connection.

8. ClientAliveInterval 300 : Specifies the time interval (in seconds) in which the server sends a client alive message to keep the connection alive.

9. Compression no : Disables compression for security reasons.

10. DisableForwarding yes : Disables all forms of forwarding for security reasons.

11. GatewayPorts no : Disables the binding of gateway ports on remote hosts.

12. IgnoreRhosts yes : Disables Rhosts authentication.

13. KbdInteractiveAuthentication yes : Enables keyboard-interactive authentication.

14. ListenAddress : This line specifies the IP address of the network interface on which the SSH server listens for incoming connections. If left blank, the server will listen on all interfaces.

15. MaxAuthTries 3 : Specifies the maximum number of authentication attempts allowed before the server terminates the connection.

16. MaxSessions 2 : Specifies the maximum number of sessions per network connection.

17. PermitEmptyPasswords no : Disallows empty passwords for security reasons.

18. PermitRootLogin no : Disallows root login for security reasons.

19. PermitTunnel no : Disallows tunneling.

20. Port 8513 : Specifies the port number on which the SSH server listens for incoming connections.

21. PrintMotd no : Disables the printing of the message of the day (MOTD) when a user logs in.

22. Protocol 2 : Specifies that only SSH protocol version 2 is allowed.

23. PubkeyAuthentication yes : Enables public key authentication.

24. Subsystem sftp internal-sftp : Specifies the SFTP subsystem to be used for file transfers.

25. TCPKeepAlive no : Disables TCP keepalive messages for performance reasons.

26. UseDNS no : Disables DNS lookups for performance reasons.

27. UsePAM yes : Enables the Pluggable Authentication Module (PAM) system for authentication.

28. X11Forwarding no : Disallows X11 forwarding for security reasons.

An example of how to harden a Linux server through SSH (Please note its not a complete example )

1. Use SSH keys for authentication:

SSH keys are more secure than passwords since they are harder to brute-force. To use SSH keys for authentication, first, generate a new SSH key pair on your local machine using the `ssh-keygen` command:

   ```

   ssh-keygen -t rsa

   ```

This will generate a public and private key pair in the `~/.ssh` directory. Then, copy the public key to the server by using the `ssh-copy-id` command:

   ```

   ssh-copy-id username@server_ip

   ```

 This will add the public key to the authorized keys list on the server, allowing you to log in using the private key without a password.

2. Disable root login:

To disable root login, edit the SSH configuration file `/etc/ssh/sshd_config` and set the `PermitRootLogin` parameter to `no`:

   ```

   PermitRootLogin no

   ```

This will prevent anyone from logging in as the root user over SSH, which can help to prevent unauthorized access and protect against brute-force attacks.

3. Use strong authentication methods:

You can use additional authentication methods like two-factor authentication (2FA) or multifactor authentication (MFA) to add an extra layer of security to your SSH logins. There are several methods for implementing 2FA/MFA, including using Google Authenticator or Duo Security.

4. Change the default SSH port:

By default, SSH listens on port 22, which can make your server vulnerable to automated attacks. Changing the SSH port to a non-standard port can make it harder for attackers to find your SSH service. To change the default SSH port, edit the SSH configuration file `/etc/ssh/sshd_config` and set the `Port` parameter to a non-standard port (e.g., 2200):

   ```

   Port 2200

   ```

After changing the SSH port, you will need to specify the new port when connecting to the server over SSH:

   ```

   ssh -p 2200 username@server_ip

   ```

Be sure to open the new port in your server's firewall configuration.

5. Use SSH protocol version 2:

SSH protocol version 1 is deprecated and insecure, so it's important to ensure that your server is using SSH protocol version 2. To do this, edit the SSH configuration file `/etc/ssh/sshd_config` and set the `Protocol` parameter to `2`:

   ```

   Protocol 2

   ```

6. Limit SSH access to specific IP addresses:

To restrict SSH access to specific IP addresses, edit the SSH configuration file `/etc/ssh/sshd_config` and set the `ListenAddress` parameter to the IP address(es) you want to allow:

   ```

   ListenAddress 192.168.1.100

   ```

This will only allow SSH connections from the specified IP address(es).

By following these steps, you can harden your Linux server using SSH to help protect against unauthorized access and brute-force attacks.