Add free search for your website. Sign up now! https://webveta.alightservices.com/
Categories
Security

Some SSH tips

This blog post is based on what I have learned over the past 1 year after my servers were hacked. This blog post has some tips based on my notes I have noted while reading various other web pages and blogs.

This is not an exhaustive list. I am NOT Linux admin but thought these tips could help some people.

In the /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd_config

The following are some important settings:

Include /etc/ssh/sshd_config.d/*.conf

PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers <user>
Protocol 2
DenyUsers root
MaxSessions 1

Don’t allow password login, don’t allow root, don’t allow empty password, specify users who are allowed, use version 2 of SSH protocol, unless there is a need for multiple people on same server at same time, specify max sessions.

The following can be a seperate file under /etc/ssh/sshd_config.d/ i.e the files get included.

sudo nano /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

The following configuration disables weak ciphers:


Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

MACs hmac-sha2-512-etm@openssh.com

HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512 

CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,


HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512

PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com

Any algorithms below 256 bit are not used, 256 bit and higher are used in the above configuration.

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A

Facebook

LinkedIn

Threads

Instagram

Youtube

Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc

Youtube

Facebook

LinkedIn

Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.