SSH Hardening

SSH Hardening

SSH hardening goes beyond disabling password authentication. A fully hardened SSH server restricts cipher algorithms to modern secure ones, disables features that create attack surface (X11 forwarding, agent forwarding, TCP forwarding), and configures strict authentication controls. This matters most for internet-facing servers, bastion hosts, and any server where a breach would be catastrophic.

sshd_config hardening checklist

sudo nano /etc/ssh/sshd_config

Hardened sshd_config (annotated)

# Authentication
PasswordAuthentication no          # Keys only
PermitRootLogin no                 # No direct root SSH
PubkeyAuthentication yes           # Keys enabled
AuthorizedKeysFile .ssh/authorized_keys

# Access control
AllowUsers irfan deploy ansible    # Whitelist — only these users
LoginGraceTime 20                  # 20 second window to authenticate
MaxAuthTries 3                     # 3 failed attempts before disconnect
MaxStartups 3:50:10                # Limit unauthenticated connection flood

# Timeouts
ClientAliveInterval 300            # Send probe every 5 minutes
ClientAliveCountMax 2              # Disconnect after 2 missed probes (10min idle)

# Protocol
Protocol 2                         # SSHv1 is broken — ensure v2 only
AddressFamily inet                 # IPv4 only (if you don't use IPv6)

# Logging
LogLevel VERBOSE                   # Log key fingerprints at login

Cipher and MAC hardening

# Check what ciphers your current sshd advertises
nmap --script ssh2-enum-algos -p 22 localhost

# Restrict to modern, secure algorithms in sshd_config:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

📝 NOTE: OpenSSH on Ubuntu 22.04 and 24.04 already removes the weakest algorithms by default. Manual cipher restriction is mainly needed for compliance requirements (PCI-DSS, CIS benchmarks) or environments with older clients. Run ssh-audit to get a full assessment of your current configuration.

Disabling unused SSH features

# In sshd_config: disable features that create attack surface

# X11 forwarding: allows remote GUI apps — rarely needed on servers
X11Forwarding no

# Agent forwarding: allows forwarding your SSH agent to the remote server
# DANGEROUS: if the remote server is compromised, an attacker can use your agent
AllowAgentForwarding no    # Disable for all users
# Or restrict per-user: in authorized_keys: no-agent-forwarding ssh-ed25519 ...

# TCP forwarding (port forwarding): disable if not needed
AllowTcpForwarding no

# Prevent users from modifying their tunnel/forwarding settings
PermitUserEnvironment no

# Prevent banner disclosure of OS version
Banner none

Two-factor authentication for SSH

# Install Google Authenticator PAM module
sudo apt install -y libpam-google-authenticator

# Set up TOTP for a user
google-authenticator    # Follow prompts, scan QR code with authenticator app

# Enable in PAM:
sudo nano /etc/pam.d/sshd
# Add at top: auth required pam_google_authenticator.so

# Enable challenge-response in sshd_config:
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive    # Require BOTH key + TOTP

Validating configuration safely

# Always validate before reloading:
sudo sshd -t

# Extended test with debug output:
sudo sshd -T | grep -E "^(passwordauth|pubkeyauth|permitrootlogin|allowusers|ciphers|macs)"

# ssh-audit: comprehensive SSH security analysis
sudo apt install -y ssh-audit
ssh-audit localhost    # Scans your SSH server and grades security

# After all changes: reload (not restart — keeps existing sessions)
sudo systemctl reload ssh

Conclusion

The minimum hardening set for any internet-facing SSH server: disable password auth, disable root login, add AllowUsers whitelist, set idle timeout. For high-security environments: restrict ciphers/MACs to modern algorithms, disable X11 and agent forwarding, and add two-factor authentication. Always run sudo sshd -t before reloading and keep a console session open. Use ssh-audit to verify your configuration against known best practices and compliance benchmarks.