This blog post is based on what I have learned over the past 1 year after my servers were hacked. This blog post has some tips based on my notes I have noted while reading various other web pages and blogs.
This is not an exhaustive list. I am NOT Linux admin but thought these tips could help some people.
In the /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd_config
The following are some important settings:
Include /etc/ssh/sshd_config.d/*.conf
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers <user>
Protocol 2
DenyUsers root
MaxSessions 1
Don’t allow password login, don’t allow root, don’t allow empty password, specify users who are allowed, use version 2 of SSH protocol, unless there is a need for multiple people on same server at same time, specify max sessions.
The following can be a seperate file under /etc/ssh/sshd_config.d/ i.e the files get included.
sudo nano /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
The following configuration disables weak ciphers:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512
CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,
HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512
PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com
Any algorithms below 256 bit are not used, 256 bit and higher are used in the above configuration.
–
Mr. Kanti Kalyan Arumilli
B.Tech, M.B.A
Founder & CEO, Lead Full-Stack .Net developer
ALight Technology And Services Limited
Phone / SMS / WhatsApp on the following 3 numbers:
+91-789-362-6688, +1-480-347-6849, +44-07718-273-964
+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)
kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.