Hello everyone! In this tutorial I will show you how to increase server security by tuning up configuration of SSH.
Before you begin
There are basically two requirements for this tutorial:
- You need to have working SSH keys. You need to be able to login to your server by using them. After completing this tutorial, SSH keys will be the only way to access server. If you won't be able to login by using them, well, you will lose access to your server. In order to add user and configure keys you can follow this tutorial.
- Make sure that at least one of the users is in
wheel
group (has access to sudo). Root should not have access to login via SSH. So if you will block this option and you won't have any sudo user, you won't be able to do much on the server. Follow this tutorial in order to configure sudo.
Disable password authentication for SSH on CentOS
Login to Your server/Vagrant Box and open SSH daemon configuration file:
sudo vi /etc/ssh/sshd_config
Now we need to find the line for password authentication and change it to:
PasswordAuthentication no
Unfortunately, disabling this option can still lead to password authentication by using PAM-based authentication. In order to fully disable authentication with password, make sure that PAM is also disabled:
ChallengeResponseAuthentication no
Also we need to make sure that this line is uncommented. It will enable SSH login by using public key:
PubkeyAuthentication yes
Save the file and exit from the editor. In order to apply changes, you need to restart SSH daemon:
service sshd restart
After that, try to open new SSH session in new window. Do not logout from your current session! If you won't be able to login with new session, you can undo the changes with existing session. If you will be able to successfully login, you can proceed.
How to secure SSH on CentOS even more?
There are still some things that will help you improve SSH security. Edit the same configuration file as before. Below You will find the configuration options that I usually use for SSH.
Disable root login
PermitRootLogin no
This option will disable root login via ssh. So it means that from now on you won't be able to login to your server as root via ssh.
Allow only specific users to be able to login via SSH
AllowUsers developer
By default you are able to login as any user that is created inside the system. It can be easily limited to particular users. Just give space separated list after AllowUsers
. It might not be present in your config, so you need to add this line (for instance at the end of the file).
AllowUsers developer vagrant
Enable protocol 2 for ssh
Protocol 2
This option is set by default in most CentOS installation, but just make sure that there's no version 1 instead. It's less secure protocol.
Ignore rhost
IgnoreRhosts yes
It will disable insecure access via RSH.
Disable login for users with empty passwords
PermitEmptyPasswords no
This line will disable login for users that have empty passwords. Make sure that your account has password set, before changing that!
Enable strict mode for ssh
StrictModes yes
SSH will check users's permission in their home directory before accepting login. It should be set to yes because users may leave their directory or files world-writable. Again, this might be tricky. It's the best to change that, restart SSHD daemon and try to login from new session. If you have any problems, you can undo this change with existing session. If you have any issues with that, try to set valid permissions for your .ssh
directory and files inside. Also set valid username and group for your files:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chown -R YOUR_USERNAME:YOUR_USERNAME ~/.ssh
Disable other authentication methods
GSSAPIAuthentication no
KerberosAuthentication no
If you don't plan to login with GSS API, or Kerberos you can disable them as well.
Disable X11 Forwarding
X11Forwarding no
If you don't use X11 you can safely disable it as well.
Show last login
PrintLastLog yes
Nice feature is to show last successful login after you will login via SSH.
Restart SSH daemon
Remember that after any changes inside the file You need to restart sshd daemon:
sudo service sshd restart
SSH crypto
In addition to changes above that should be applied, you can increase SSH security even more by configuring ciphers and available algorithms (thanks to @Amar for the suggestion:)
This is usually safe to execute, but you must remember that not all algorithms are supported by various tool. Here you can find great chart showing, which tools support given algorithms. But let's be honest, most of you is probably using OpenSSH which supports all the changes I will present here. However if you are using different tool and you won't be able to login to your server, check with the page and enable additional algorithms.
These config options will probably not be listed in your config file. You need to just add them somewhere, like at the end of the file.
Configure server authentication
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
Server must confirm the identity to the client. There are bunch of algorithms available, but this is the list of most secure.
This might be present in your configuration file, also there might be more not commented lines with HostKeys
. Leave only these two enabled and comment out the rest.
Configure key exchange
KexAlgorithms curve25519-sha256@libssh.org
There are many more key exchange algorithms, but this is probably the most secure.
Configure ciphers
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
Ciphers are used to encrypt the data. As with key exchange, there are multiple algorithms. These are the safest.
MACs - Message Authentication Codes
MACs hmac-ripemd160,hmac-ripemd160-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,umac-128-etm@openssh.com
MACs are used for data integrity. Again, line above contains the safest algorithms only.
After these changes, don't forget to restart sshd daemon.
Easier way?
You can use our Ansible LAMP on Steroids project to make configuration of your server easier!
If you don't know what Ansible is, check our tutorial first.
Clone our repository and setup your server faster with LAMP on steroids.