Important Notes:
- These settings apply to modern OpenSSH in general, so it applies to any system that runs OpenSSH. However the paths and commands used in this tutorial might be specific to FreeBSD. Please adjust them for your system (Linux, etc).
- Crypto (and security is general) is complicated and could sometimes be subjective. I disabled some of the cryptos that I personally do not trust (this is why), but aren’t necessarily insecure. Do your research before applying these settings.
Introduction Link to heading
The default sshd configuration is not the most secure for sake of backward compatibility. Unless you are running a 10 years old SSH client, you may want to consider improving the default configuration.
If you are security paranoid (and you should be), you have to start by disabling less secure and less trusted crypto (ciphers1, MACs2 and KexAlgorithms3).
To list supported crypto, use ssh -Q cipher , ssh -Q kex and ssh -Qmac.
Audit your SSH server Link to heading
You may use an online server like sshcheck.com or a command-line tool like SSHScan (originally by evict).
$ ./sshscan.py sdf.org
[*] Initiating scan for sdf.org on port 22
[*] Connected to sdf.org on port 22...
[+] Target SSH version is: SSH-2.0-OpenSSH_8.0
[+] Retrieving ciphers...
[+] Detected ciphers:
aes128-ctr aes256-ctr
aes128-gcm@openssh.com aes256-gcm@openssh.com
aes192-ctr chacha20-poly1305@openssh.com
[+] Detected KEX algorithms:
curve25519-sha256 diffie-hellman-group16-sha512
curve25519-sha256@libssh.org diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256
diffie-hellman-group14-sha1 ecdh-sha2-nistp384
diffie-hellman-group14-sha256 ecdh-sha2-nistp521
[+] Detected MACs:
hmac-sha1 hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com umac-128-etm@openssh.com
hmac-sha2-256 umac-128@openssh.com
hmac-sha2-256-etm@openssh.com umac-64-etm@openssh.com
hmac-sha2-512 umac-64@openssh.com
[+] Detected HostKey algorithms:
rsa-sha2-256 ssh-ed25519
rsa-sha2-512 ssh-rsa
[-] No weak ciphers detected!
[+] Detected weak KEX algorithms:
diffie-hellman-group14-sha1 ecdh-sha2-nistp384
ecdh-sha2-nistp256 ecdh-sha2-nistp521
[+] Detected weak MACs:
hmac-sha1 umac-64-etm@openssh.com
hmac-sha1-etm@openssh.com umac-64@openssh.com
[-] No weak HostKey algorithms detected!
[-] Compression is *not* enabled
As a bonus, both tools give you the list of weak algorithms that you may want to disable.
I usually modify the default sshd configuration file to disable unwanted ciphers and tweak some of the defaults. These are the modification I make to /etc/ssh/sshd_config on a FreeBSD or Linux machine. You may add them to the bottom of existing sshd configuration file to override the default settings.
## Hardening
UseDNS no
VersionAddendum pancho
PasswordAuthentication no
PermitRootLogin prohibit-password
LogLevel VERBOSE
AuthenticationMethods publickey
# more logging for sftp sessiosn
Subsystem sftp /usr/libexec/sftp-server -f AUTHPRIV -l INFO
# algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
Then run sshd -T to confirm the settings. You may need to comment the existing sftp subsystem configuration.
Reload sshd service:
# service sshd reload
And scan using sshcheck.com or SSHScan.
As rule of thumb:
- Do no use anything with DSA or ECDSA in its name.
- Ed25519 is mathematically strong and fast. Choose it if you have the option.
- RSA is still considered safe, but your key should be at least 3072 bites long.