How to Harden the OpenSSH Client on Ubuntu 20.04

If you followed our Disable Root Login on Ubuntu 20.04 tutorial and/or How to Change the Default SSH Port on Ubuntu 20.04, you made SSH a little more difficult. But we can do more. Follow along if you really want to make it difficult for the hackers out there.

Terms and Placeholders

SERVER-IP - Replace this with the ip number of your server
MYUSER - Replace this with the username you use for normal logins to the server "Bob, Joe, Linda, etc"

Hardening SSH

Let's start by opening our SSH Config file.

$ sudo nano /etc/ssh/ssh_config
Diable Legacy Cipers

Arcfour ciphers and Cipher Block Chaining are no longer recommended, so unless you absolutely need them, disable them by adding the following line at the very top of the file:

Ciphers -arcfour*,-*cbc

X11 forwarding allows for the display of a GUI over an SSH connection. If you plan on only using the command line it is a good idea to disable this. It helps prevent malicious or compromised servers from forwarding an X11 session to your client, which can allow for filesystem permissions to be bypassed, or for local keystrokes to be monitored. Look for this:

#   ForwardX11 no
#   ForwardX11Trusted no

and change it to this:

ForwardX11 no
ForwardX11Trusted no
SSH Tunneling

If you are not going to use SSH tunneling, turn it off. If you do not know, leave it as is. Look for this:

#   Tunnel no

and change it to this:

Tunnel no

If you do not need SSH agent forwarding, disable it to prevent servers from requesting to use your local SSH agent to authenticate onward SSH connections: Look for this:

#   ForwardAgent no

and change it to this:

ForwardAgent no
GSSAPI & HostBased Authentication

If you have followed tutorials here, you have configured your server use password authentication or public-key authentication. OpenSSH also supports other forms of authentication Unless you need them, go ahead and disable them to reduce the potential for attacks. Look for this:

#   HostbasedAuthentication no
#   GSSAPIAuthentication no

and change it to this:

HostbasedAuthentication no
GSSAPIAuthentication no

Be sure that strict host key checking is enabled, to =make sure that you are warned when the host key/fingerprint of a remote server changes, or when connecting to a new server for the first time. Look for this:

#   StrictHostKeyChecking ask

and change it to this:

StrictHostKeyChecking ask

Now save the file by hitting [CTRL-X] then Y, then [ENTER] and restart the sshd server:

$ sudo systemctl reload sshd

Blog Comments powered by Disqus.