How to Customize SSH Settings For Maximum Security | Tips & Tricks
The SSH configuration file on your Unix system controls how secure shell operates. It can be used to make the ssh command easier to use, configure specific user-desired functions, or harden security against potential attacks. While relatively simple actions, like changing the ssh port on your devices, can often eliminate a huge number of ssh “cold calls” on your machine, the ssh configuration file can do much more than that.
Where is the SSH configuration file?
On Linux systems, you can find your system-wide ssh configuration file at “/etc/ssh/ssh_config.”
On macOS systems, the same file is found at “/private/etc/ssh/ssh_config,” which is symlinked to “/etc/ssh/ssh_config” for compatibility.
A second, user-specific ssh_config file can be located at “~/.ssh/ssh_config” (the “~” symbol represents the home directory). This file supersedes the system-wide configuration file, allowing you to set user-specific options without changing the system’s configuration. Systems don’t always ship with a “~/.ssh/ssh_config” file, but it can be created easily.
Going forward, we will refer to this configuration file as “ssh_config” for clarity and simplicity.
Editing the ssh_config file
To edit the ssh_config file, open a Terminal window and edit the file with your preferred text editor. We will use nano in this demo, but vi or emacs can be used instead.
sudo nano /etc/ssh/ssh_config
This will open a file with dozens of commented lines explaining what the file does, but it’s not a full explanation.
What is the ssh_config file and what does ssh_config do?
The ssh_config file is used to control how secure shell, better known as the ssh terminal command, operates on your system. The ssh_config file is organized by hosts. Each host contains specific settings for that host. Wildcards like * can be used to match multiple hostnames with a single declaration.
Options are declared using a key/definition pair. There are many keys available. A detailed explanation of each key’s functionality can be found on the ssh_config man page.
Hardening your SSH configuration
Locking down the files: prior to editing the file, ensure that both the ssh_config and sshd_config files have the owner and user set to root. In most cases you will also want to disallow permissions to anyone but root.
sudo chown root:root /etc/ssh/sshd_config sudo chmod og-rwx /etc/ssh/sshd_config
Confirm SSH Protocol 2
Ensure you are using the newer and modern Protocol 2 instead of Protocol 1. The older protocol works with a weaker integrity check and is generally less secure.
To explicitly set the Protocol, use the following in your ssh_config:
You can also implicitly set your protocol by using Ciphers, which will automatically set Protocol to 2 to use modern Ciphers.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Disallow empty password
Ensure that every SSH account uses a password when logging in by blocking empty passwords.
Disallow root login
Root should seldom be used for most Linux usage. Preventing root login will allow you to lock down accounts to specifically what’s needed and not grant system-wide usage. This is also an account that is targeted in attacks. Options for PermitRootLogin include “yes,” “without-password,” “forced-commands-only,” or “no.” The default is “yes.” To stop root login completely, us the line below.
Change the port number
You are able to change the port number from 22 (the default) as a way to limit the direct hits to your server on that port. This will limit most people who are utilizing a script going to that port, or who are attacking that port manually. However, this will not limit those who scan for open ports and attack whatever is open. In addition to that, you will need to ensure that anyone who accesses through this port is aware of the new number, and that new port number is utilized by any client or software.
To adjust the port, edit the main ssh daemon at “/etc/ssh/sshd_config.” You’ll want to add a new line specifying the port following the syntax Port XXXXX.
Restrict access
If you have multiple people who access your server, you may want to restrict the use of ssh altogether. For those instances, you can allow and deny both users and groups. For this you will want to use one of the following keys, followed by the values you’d like to permit or deny: DenyUsers, AllowUsers, DenyGroups, and AllowGroups. This is completed in this order, so even if you allow a user if they are in the “denyusers” section, they will be denied.
AllowUsers ramesh john jason
AllowGroups sysadmin dba
DenyUsers cvs apache jane
DenyGroups developers qaUpdate the LoginGraceTime
By default the amount of time a person has to sit idle without logging in is two minutes. Limiting this will assist in preventing unauthorized connections. A typical suggestion is one minute or less. Set the time using LoginGraceTime.
Customizing SSH Configurations
Creating aliases
Ssh command-line options can be specified through aliases in ssh_config. The following alias allows the user to connect to the dev server with the specified options simply by typing ssh dev at the command line.
Host dev
HostName dev.example.com
Port 22222
User foobarThis runs the following command when executed:
ssh foobar@dev.example.com -p 22222
Note that the ssh port has been changed to 22222 to deter cold calls. Otherwise, it’s a very simple ssh connection, shortened by many characters for convenience.
Authentication with secure keypairs
ssh is more secure and convenient when used with public/private keypairs for authentication, rather than passwords. The ssh_config file can declare a specific key for a specific host using the IdentityFile key.
Host dev
HostName dev.example.com
Port 22222
User foobar
IdentityFile ~/.ssh/dev.example.keyAs in the previous examples, this ssh command with be run with ssh dev, executing the following command-line equivalent command:
ssh -i ~/.ssh/dev.example.key foobar@dev.example.com -p 22222
Setting other ssh options
The ssh options below are some of the more common keys found in ssh_config files.
Compression: This key takes “yes” or “no” as arguments and is used to enable to disable compression for a host. This is typically not necessary unless the connection is unbelievably slow.
LogLevel: Set the level of detail in the ssh client-side logs. From least verbose to most verbose, the options are QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, and DEBUG3.
StrictHostKeyChecking: Set a preference for adding hosts to the known_hosts file. “yes” will never add known_hosts. “no” will always add to known_hosts. “ask,” which is the default option, will ask the user before adding to the known_hosts file. “yes” provides the most security against Trojan horse attacks, but it can be tedious with a badly-managed known_hosts file. “no” is the least secure but can make connection to a large number of temporary hosts less painful.
UserKnownHostsFile: Specify the path for a user-specific known_hosts file.
Connection forwarding
ssh is often used to forward connections, allowing a local connection to tunnel through a remote connection. The following options can be used to configure connection forwarding.
LocalForward: Define a connection to forward a local port’s traffic to a remote machine. This tunnels the connection out through the remote network.
RemoteForward: Define a remote port to be tunneled out of a local port. This is the inverse of the above option.
DynamicForward: Configure a local port to be used with a dynamic forwarding protocol.
Conclusion
Most of the ssh_config options exist to provide more convenient ways to perform specific tasks using the ssh command. It’s a way to configure complex aliases and shortcuts that helps increase security by making the more secure parts of ssh easier to use.