SSH Hardening Guide

Mar 5, 2022

Complete guide to hardening the SSH service on Linux servers, reducing the attack surface against brute force, unauthorised access and eavesdropping.

1. Configuration File

/etc/ssh/sshd_config
systemctl restart sshd   # Apply changes

2. Change the Default Port

Port 2222
ssh -p 2222 user@server

3. Disable Root Login

PermitRootLogin no

4. Public Key Authentication

ssh-keygen -t ed25519 -C "my_key"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# sshd_config:
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

5. Restrict SSH Access

AllowUsers user1 user2
AllowGroups sshusers
DenyUsers root oracle

6. Additional Security Settings

LoginGraceTime 30
MaxAuthTries 3
MaxSessions 3
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
GSSAPIAuthentication no
Banner /etc/ssh/banner.txt

7. Secure Cryptographic Algorithms

KexAlgorithms curve25519-sha256,diffie-hellman-group14-sha256
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-512,hmac-sha2-256

8. Fail2Ban — Brute Force Protection

apt install fail2ban

# /etc/fail2ban/jail.local:
[sshd]
enabled  = true
port     = 2222
maxretry = 3
bantime  = 3600
findtime = 600

systemctl restart fail2ban
fail2ban-client status sshd

SSH Hardening Checklist

Measure	Parameter	Value
Non-standard port	`Port`	≠ 22
No root login	`PermitRootLogin`	no
Key-only auth	`PasswordAuthentication`	no
Max attempts	`MaxAuthTries`	3
No X11	`X11Forwarding`	no
Fail2Ban	maxretry	3 / 1h ban

SSH Hardening Guide

1. Configuration File

2. Change the Default Port

3. Disable Root Login

4. Public Key Authentication

5. Restrict SSH Access

6. Additional Security Settings

7. Secure Cryptographic Algorithms

8. Fail2Ban — Brute Force Protection

SSH Hardening Checklist

🛡️ Generar Reporte OSINT