SSH Configuration Checklist

2015-01-26 10:01

Some basics settings to check in your /etc/ssh/sshd_config to verify it's properly secured.

Avoid using protocol version 1 since it has known weaknesses:

Protocol 2

Eliminate the display server attack surface of you are not using it on your host:

X11Forward no

Rhosts should never be used since it's very weak:

IgnoreRhosts yes

Perform basic DNS check to see if connecting clients IP address and resolved hostname matches:

UseDNS yes

Never allow empty password since it's usually just a stupid thing to do:

PermitEmptyPasswords no

Prevent brute force password attack by limit the amount of allowed attempts:

MaxAuthTries 6

Never use the root account for remote login. It's bad practice to expose the root account and it removes accountability if it's shared among admins. Always use dedicated user accounts for login and combine it with sudo for administrative access:

PermitRootLogin no

Another tips to enhance security using SSH is to make use of public key authentication insted of passwords. This involves generating a key on client machines using ssh-keygen, copy the public part of it to the users .ssh/authorized_keys file on the server host, and finally turn off password login on the server.