Top 20 OpenSSH Server Best Security Practices


#1

Originally published at: https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

OpenSSH Security Tips
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. This page shows how to secure your OpenSSH server running on a Linux or Unix-like system to improve sshd security.

#2

Good article, thanks for putting this together.

One small point though, in section 20 you mention using “ssh -Q” for what should be “…list of ciphers and algorithms supported…” but that ssh command will only show you the ciphers & algorithms supported by the SSH client, not the server. In order to see what the server is currently configured to use, you are better to run the following:

sshd -T | grep "\(ciphers\|macs\)"

It can be harder to then recommend what should be removed and allowed, as the security of ciphers and macs change as new vulnerabilities are found. That said, currently (early 2018) some reasonable ciphers and macs to use are:

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

(key thing above is to make sure nothing contains: cbc, md5, 96, arcfour, des)

And if you want to make the above list even stronger, you can remove anything using sha1.

As with any changes you make, always ensure you do thorough testing from all clients first, as you don’t want to disable a cipher or mac that is relied on from an older client that doesn’t support new ciphers. (and then go back to upgrade those clients :slight_smile: )


#3

Thanks for suggestion. I will look into it and update the page.