Vulnarex | Elite Cybersecurity Learning Platform

#SSH Hardening and Secure Remote Access#link

SSH (Secure Shell) is the primary remote administration protocol for Linux systems — and it is the number one target for attackers on any internet-facing server. A single misconfigured SSH service can lead to complete system compromise. In this lesson, you will learn how to harden SSH to resist brute-force attacks, credential theft, and unauthorized access.

Understanding the SSH Configuration File

The SSH server configuration lives at /etc/ssh/sshd_config. Every security setting is controlled through this file. After making changes, you must restart the SSH service with 'sudo systemctl restart sshd' (or 'ssh' on some distributions).

Essential SSH Hardening Configuration

Here is a comprehensive hardened SSH configuration. Each directive serves a specific security purpose:

text

# /etc/ssh/sshd_config — Hardened Configuration

# === Authentication ===
# Disable root login via SSH (use sudo instead)
PermitRootLogin no

# Use SSH Protocol 2 only (Protocol 1 is obsolete and insecure)
Protocol 2

# Disable password authentication — use keys only
PasswordAuthentication no

# Enable public key authentication
PubkeyAuthentication yes

# Specify allowed users (whitelist approach)
AllowUsers analyst admin

# Or allow by group
AllowGroups ssh-users

# === Session Security ===
# Set idle timeout (300 seconds = 5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable empty passwords
PermitEmptyPasswords no

# Disable X11 forwarding (reduces attack surface)
X11Forwarding no

# Disable TCP forwarding unless needed (prevents tunneling)
AllowTcpForwarding no
AllowAgentForwarding no

# Disable .rhosts and /etc/hosts.equiv
IgnoreRhosts yes
HostbasedAuthentication no

# === Cryptographic Hardening ===
# Use strong key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org

# Use strong ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

# Use strong MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# === Logging ===
# Increase logging level
LogLevel VERBOSE

# === Connection Limits ===
# Limit authentication attempts
MaxAuthTries 3

# Limit concurrent unauthenticated connections
MaxStartups 3:30:10

# Set login grace time
LoginGraceTime 30

SSH Key Management

SSH keys are the most secure authentication method. Unlike passwords, they cannot be brute-forced (with sufficient key length) and do not transmit credentials over the network.

SSH Key Generation and Deployment

root@vulnarex:~## Generate a strong SSH key pair (Ed25519 — recommended) ssh-keygen -t ed25519 -C "analyst@vulnarex" -f ~/.ssh/id_ed25519 # For legacy systems, use RSA with 4096 bits ssh-keygen -t rsa -b 4096 -C "analyst@vulnarex" -f ~/.ssh/id_rsa # Set correct permissions (SSH is strict about this) chmod 700 ~/.ssh chmod 600 ~/.ssh/id_ed25519 chmod 644 ~/.ssh/id_ed25519.pub # Copy public key to remote server ssh-copy-id -i ~/.ssh/id_ed25519.pub analyst@192.168.1.100 # Test key-based login ssh -i ~/.ssh/id_ed25519 analyst@192.168.1.100 # View authorized keys on the server cat ~/.ssh/authorized_keys

info

💡 Ed25519 keys are shorter, faster, and more secure than RSA keys. They are supported on OpenSSH 6.5+ (2014). Use RSA-4096 only when connecting to legacy systems that do not support Ed25519.

Defending Against SSH Brute-Force Attacks

Even with key-based authentication, you should defend against brute-force attempts. fail2ban is the standard tool for this — it monitors log files and automatically bans IPs that show malicious behavior.

fail2ban Configuration

root@vulnarex:~## Install fail2ban sudo apt install fail2ban -y # Create a local configuration (don't edit the original) cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # Configure SSH protection cat >> /etc/fail2ban/jail.local << 'EOF' [sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600 findtime = 600 banaction = ufw EOF # Start and enable fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban # Check fail2ban status sudo fail2ban-client status sshd

Additional SSH Security Measures

▪Change the default SSH port (22) — reduces automated scanning noise (security through obscurity, not a primary defense)
▪Use port knocking (knockd) — hides SSH behind a sequence of connection attempts to closed ports
▪Implement MFA for SSH — use Google Authenticator PAM module or hardware tokens (YubiKey)
▪Use SSH certificates instead of raw keys — centralized key management with expiration
▪Restrict SSH to VPN-only access — do not expose SSH to the internet at all
▪Monitor /var/log/auth.log continuously — detect attacks in real-time
▪Use AllowUsers/AllowGroups — whitelist who can log in, rather than blacklisting

STRICT SECURE AUDIT RULE

⚠️ When hardening SSH, always keep one active session open while testing changes. Open a second terminal to test the new configuration. If you lock yourself out, the first session remains active. Also, always verify your key-based authentication works BEFORE disabling password authentication.

quiz BLOCK (★ 50 XP)

You have hardened SSH with 'PasswordAuthentication no' and 'PermitRootLogin no'. An attacker scans your server and finds SSH open on port 22. What is the attacker's most likely next step?

Select your proof vectors above