SSH Hardening

SSH (Secure Shell) is the primary remote access protocol for Unix/Linux systems. A default SSH installation is a common attack target - password authentication, root login, and default port exposure all expand your attack surface. This note covers key-based authentication, sshd_config hardening, jump hosts, port forwarding security, and session auditing.

---

SSH Authentication Fundamentals

Password Auth vs Key Auth

Factor	Password auth	Key auth
What’s shared	Hash stored server-side; password sent over encrypted channel	Only the public key is on the server; private key never leaves client
Brute-forceable	Yes - automated spray/brute-force attacks are continuous	No - mathematically infeasible to derive private key from public key
Phishable	Yes - tricked into entering on fake site	No - key auth never transmits a secret
Lost credential	Attacker can use it from anywhere	Private key is on your device; attacker needs both key + passphrase
Recommendation	Disable in production	✅ Use always

Key Generation

# Generate an Ed25519 key pair (modern, fast, small)
ssh-keygen -t ed25519 -C "alice@workstation" -f ~/.ssh/id_ed25519
# Passphrase protects the private key at rest - use one

# Generate RSA 4096 (for legacy systems that don't support Ed25519)
ssh-keygen -t rsa -b 4096 -C "alice@workstation" -f ~/.ssh/id_rsa_4096

# View fingerprint of a key (to verify identity)
ssh-keygen -lf ~/.ssh/id_ed25519.pub          # your public key
ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub   # server host key

# Files created:
#   ~/.ssh/id_ed25519       ← private key (NEVER share; passphrase-protected)
#   ~/.ssh/id_ed25519.pub   ← public key (share freely; put on servers)

Installing a Public Key on a Server

# Method 1: ssh-copy-id (easiest)
ssh-copy-id -i ~/.ssh/id_ed25519.pub [email protected]

# Method 2: manual append (when ssh-copy-id isn't available)
cat ~/.ssh/id_ed25519.pub | ssh alice@server 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

# Method 3: if you have sudo/root on the server already
cat id_ed25519.pub >> /home/alice/.ssh/authorized_keys
chown alice:alice /home/alice/.ssh/authorized_keys
chmod 600 /home/alice/.ssh/authorized_keys

Caution

Key permission enforcement: If ~/.ssh is group/world-writable, or authorized_keys has wrong permissions, SSH will refuse to use the keys. SSH silently falls back to password auth instead of erroring - making this a common misconfiguration trap.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_ed25519   # private key: owner-read only
chmod 644 ~/.ssh/id_ed25519.pub

SSH Agent

The agent holds your decrypted private key in memory - you enter the passphrase once per session:

# Start the agent and load your key
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519    # prompts for passphrase once

# List loaded keys
ssh-add -l

# Remove all keys from agent
ssh-add -D

# Set key lifetime in agent (auto-removes after 4 hours)
ssh-add -t 14400 ~/.ssh/id_ed25519

# Forwarding agent to a jump host (enables onward key auth)
ssh -A jumphost.example.com
# Then from jumphost: ssh [email protected] (uses forwarded agent)

Note

Agent forwarding (-A) risk: The agent socket is forwarded to the remote host. If that host is compromised, an attacker can use your forwarded agent to authenticate to other hosts as you - during your session. Use agent forwarding only to trusted, well-secured systems. For multi-hop connections, prefer ProxyJump instead.

---

sshd_config Hardening

The server-side configuration lives at /etc/ssh/sshd_config. Apply these settings:

# /etc/ssh/sshd_config - production hardening

# --- Protocol and algorithms ---
Protocol 2                              # SSH v1 is broken - explicitly enforce v2
Port 22                                 # changing port reduces noise but isn't security
#Port 2222                             # optional: non-standard port

# --- Host keys (use Ed25519 and RSA only; remove DSA/ECDSA-256) ---
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# --- Authentication ---
PermitRootLogin no                      # never allow direct root SSH
PasswordAuthentication no               # DISABLE password auth
PubkeyAuthentication yes               # enable key auth
AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no                # disallow empty-password accounts
ChallengeResponseAuthentication no     # disables keyboard-interactive (inc. PAM pw)
UsePAM yes                             # keep PAM for other modules (MFA, limits)

# --- Allow only specific users/groups ---
AllowUsers alice bob                    # whitelist specific users
#AllowGroups ssh-users                 # or whitelist a group

# --- Connection limits ---
MaxAuthTries 3                          # lock out after 3 failed attempts
MaxSessions 5                           # max concurrent sessions per connection
LoginGraceTime 30                       # seconds to authenticate before disconnect
ClientAliveInterval 300                 # send keepalive every 5 min
ClientAliveCountMax 2                   # disconnect after 2 missed keepalives (10 min idle)

# --- Features to disable ---
X11Forwarding no                        # X11 forwarding is rarely needed; attack surface
AllowTcpForwarding no                   # disable unless you specifically need port forwarding
AllowStreamLocalForwarding no          # disable Unix socket forwarding
GatewayPorts no                        # prevent binding remote ports on all interfaces
PermitTunnel no                        # disable VPN-like tunnelling
PermitUserEnvironment no               # prevent users overriding env variables

# --- Logging ---
LogLevel VERBOSE                        # log key fingerprints on authentication
SyslogFacility AUTH                   # log to auth facility → /var/log/auth.log

# --- Banner (legal notice) ---
Banner /etc/ssh/ssh-banner.txt         # shown before authentication

# --- Crypto hardening (restrict to modern algorithms) ---
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256

# Test config for syntax errors before reloading
sshd -t

# Reload without dropping existing connections
systemctl reload sshd

# Check what algorithms your sshd currently supports
nmap --script ssh2-enum-algos -p 22 localhost
ssh -Q kex         # list supported key exchange algorithms
ssh -Q cipher      # list supported ciphers
ssh -Q mac         # list supported MACs

---

Client-Side: ~/.ssh/config

The client config saves typing and enforces consistency:

~/.ssh/config

# Default settings for all hosts
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ConnectTimeout 10
    ControlMaster auto           # connection multiplexing (reuse existing connections)
    ControlPath ~/.ssh/cm_%r@%h:%p
    ControlPersist 10m           # keep master connection alive for 10 min after last session

# Production bastion / jump host
Host bastion
    HostName bastion.example.com
    User alice
    IdentityFile ~/.ssh/id_ed25519_bastion
    IdentitiesOnly yes           # only use the specified key; don't try others

# Internal server reached via bastion (ProxyJump - secure alternative to -A)
Host internal-server
    HostName 10.0.0.50
    User alice
    IdentityFile ~/.ssh/id_ed25519_internal
    ProxyJump bastion            # SSH tunnels through bastion transparently

# Server with non-standard port and old RSA keys
Host legacy-host
    HostName legacy.example.com
    Port 2222
    User sysadmin
    IdentityFile ~/.ssh/id_rsa_legacy
    HostKeyAlgorithms +ssh-rsa   # allow legacy RSA if server doesn't support Ed25519

# With config above, connect to internal-server in one command
# (automatically tunnels through bastion)
ssh internal-server

# SCP through jump host (uses ProxyJump from config)
scp -r internal-server:/var/log/app.log ./

# rsync through jump host
rsync -avz -e ssh internal-server:/data/ ./backup/

---

Jump Hosts (Bastion Hosts)

A jump host is a hardened host that sits at a network boundary. All access to internal systems flows through it - creating a single audit point.

Internet
   │
   ▼
[bastion.example.com]   ← only this host has port 22 open to the internet
   │                      hardened, MFA-required, fully logged
   ├──── ssh → internal-web.10.0.0.10
   ├──── ssh → db.10.0.0.20
   └──── ssh → router.10.0.0.1

# ProxyJump (recommended - transparent single command)
ssh -J [email protected] [email protected]

# Multiple hop ProxyJump
ssh -J [email protected],[email protected] [email protected]

# Equivalent via config (cleaner)
Host target
    HostName 10.0.0.10
    ProxyJump bastion

# Old style ProxyCommand (still works, more flexible)
Host target
    ProxyCommand ssh -W %h:%p bastion

Jump Host Hardening

# /etc/ssh/sshd_config on the bastion
AllowTcpForwarding yes          # ProxyJump needs this
GatewayPorts no                # don't bind on all interfaces
PermitOpen internal-web.10.0.0.10:22 db.10.0.0.20:22   # restrict WHICH hosts can be reached
X11Forwarding no
AllowAgentForwarding no        # IMPORTANT on bastion: don't allow agent forwarding

---

Port Forwarding

SSH can tunnel other protocols through an encrypted channel - useful for secure access to services that don’t have their own encryption.

# Local port forwarding - access remote service locally
# Forward localhost:8080 → remote-host:80 (accessed FROM your workstation)
ssh -L 8080:remote-host:80 alice@bastion
# Open browser to http://localhost:8080 → reaches remote-host:80 through ssh tunnel

# Access a database behind a firewall
ssh -L 5432:db.internal:5432 alice@bastion
psql -h localhost -p 5432 -U dbuser mydb   # connects through tunnel

# Remote port forwarding - expose local service to remote host
# Creates port on remote that forwards to your local service
ssh -R 8080:localhost:3000 alice@remote-host
# From remote-host: curl http://localhost:8080 → your local port 3000

# Dynamic port forwarding - SOCKS proxy
# Routes any traffic through the SSH tunnel as a proxy
ssh -D 1080 alice@bastion
# Configure browser SOCKS5 proxy to localhost:1080
# All browser traffic routes through bastion's network

# Persistent tunnel (background, no shell)
ssh -fN -L 5432:db.internal:5432 alice@bastion
# -f = background, -N = don't execute command (tunnel only)

Caution

Port forwarding can bypass firewalls. If AllowTcpForwarding yes is set on a server, users can tunnel arbitrary traffic through it - potentially bypassing network-level controls. On servers that shouldn’t be used as gateways, set AllowTcpForwarding no and PermitOpen none.

---

Session Auditing and Logging

# View SSH login events in auth log
journalctl -u sshd                          # systemd journal
grep "sshd" /var/log/auth.log              # classic syslog

# Failed SSH attempts (brute force monitoring)
grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -rn | head

# Successful logins with source IP
grep "Accepted" /var/log/auth.log

# Active SSH sessions
who                    # current logged-in users
w                     # users + what they're doing
last | head -20       # recent login history
lastb | head -10      # failed login attempts

# Detailed process auditing with auditd
# Log all commands run in SSH sessions
# /etc/audit/rules.d/sshd-audit.rules:
-a always,exit -F arch=b64 -S execve -k ssh_commands
# Then query:
ausearch -k ssh_commands -ts recent | aureport --exec

tlog - Session Recording

/etc/tlog/tlog-rec-session.conf

# Record complete terminal sessions for compliance/audit
apt install tlog

{
  "writer": "journal",
  "shell": "/bin/bash"
}

# Configure in /etc/pam.d/sshd or /etc/pam.d/login:
session required pam_exec.so /usr/libexec/tlog/tlog-rec-session

# Replay a recorded session
journalctl -o json | tldr replay   # from systemd journal
# or with Teleport (enterprise session recording tool)

---

Multi-Factor Authentication for SSH

MFA adds a TOTP (time-based OTP) requirement on top of key auth:

# Install Google Authenticator PAM module
apt install libpam-google-authenticator

# Run setup for each user
google-authenticator
# Answer Y to all prompts; scan QR code into authenticator app
# Saves secret to ~/.google_authenticator

# Configure PAM to require TOTP
# /etc/pam.d/sshd - add this line BEFORE other auth lines:
auth required pam_google_authenticator.so

# /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes    # needed to prompt for TOTP code
AuthenticationMethods publickey,keyboard-interactive  # require BOTH key + TOTP

systemctl reload sshd

---

Common SSH Security Mistakes

Mistake	Why it’s bad	Fix
Root login enabled	Attacker gets root immediately on credential compromise	PermitRootLogin no
Password auth enabled	Continuous brute-force attacks against password	PasswordAuthentication no
Private key without passphrase	Stolen key file = instant access	Always use passphrase + ssh-agent
Old/weak host keys	DSA keys and small RSA keys are breakable	Remove DSA; use Ed25519 host keys
Agent forwarding to untrusted hosts	Compromised host can use your agent	Use ProxyJump instead; disable AgentForwarding
Permissive AllowTcpForwarding	Creates an uncontrolled tunnel endpoint	AllowTcpForwarding no unless needed
No IP restriction on SSH	Internet-wide brute force access	AllowUsers + firewall to management IPs
Not monitoring auth.log	Silent ongoing brute-force	fail2ban + SIEM alerting
Sharing SSH keys between users	No individual accountability	One key pair per person per purpose
Using same key everywhere	One compromise affects all servers	Separate keys per environment (prod/staging/bastion)