Important Notes:

  • These settings apply to modern OpenSSH in general, so it applies to any system that runs OpenSSH. However the paths and commands used in this tutorial might be specific to FreeBSD. Please adjust them for your system (Linux, etc).
  • Crypto (and security is general) is complicated and could sometimes be subjective. I disabled some of the cryptos that I personally do not trust (this is why), but aren’t necessarily insecure. Do your research before applying these settings.

Introduction

The default sshd configuration is not the most secure for sake of backward compatibility. Unless you are running a 10 years old SSH client, you may want to consider improving the default configuration.

If you are security paranoid (and you should be), you have to start by disabling less secure and less trusted crypto (ciphers1, MACs2 and KexAlgorithms3).

To list supported crypto, use ssh -Q cipher , ssh -Q kex and ssh -Qmac.

Audit your SSH server

You may use an online server like sshcheck.com or a command-line tool like SSHScan (originally by evict).

$ ./sshscan.py sdf.org
[*] Initiating scan for sdf.org on port 22
[*] Connected to sdf.org on port 22...
    [+] Target SSH version is: SSH-2.0-OpenSSH_8.0
    [+] Retrieving ciphers...
    [+] Detected ciphers:
          aes128-ctr                           aes256-ctr
          aes128-gcm@openssh.com               aes256-gcm@openssh.com
          aes192-ctr                           chacha20-poly1305@openssh.com
    [+] Detected KEX algorithms:
          curve25519-sha256                    diffie-hellman-group16-sha512
          curve25519-sha256@libssh.org         diffie-hellman-group18-sha512
          diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256
          diffie-hellman-group14-sha1          ecdh-sha2-nistp384
          diffie-hellman-group14-sha256        ecdh-sha2-nistp521
    [+] Detected MACs:
          hmac-sha1                            hmac-sha2-512-etm@openssh.com
          hmac-sha1-etm@openssh.com            umac-128-etm@openssh.com
          hmac-sha2-256                        umac-128@openssh.com
          hmac-sha2-256-etm@openssh.com        umac-64-etm@openssh.com
          hmac-sha2-512                        umac-64@openssh.com
    [+] Detected HostKey algorithms:
          rsa-sha2-256                         ssh-ed25519
          rsa-sha2-512                         ssh-rsa
    [-] No weak ciphers detected!
    [+] Detected weak KEX algorithms:
          diffie-hellman-group14-sha1          ecdh-sha2-nistp384
          ecdh-sha2-nistp256                   ecdh-sha2-nistp521
    [+] Detected weak MACs:
          hmac-sha1                            umac-64-etm@openssh.com
          hmac-sha1-etm@openssh.com            umac-64@openssh.com
    [-] No weak HostKey algorithms detected!
    [-] Compression is *not* enabled

As a bonus, both tools give you the list of weak algorithms that you may want to disable.

I usually modify the default sshd configuration file to disable unwanted ciphers and tweak some of the defaults. These are the modification I make to /etc/ssh/sshd_config on a FreeBSD or Linux machine. You may add them to the bottom of existing sshd configuration file to override the default settings.

## Hardening
UseDNS no
VersionAddendum pancho
PasswordAuthentication no
PermitRootLogin prohibit-password
LogLevel VERBOSE
AuthenticationMethods publickey

# more logging for sftp sessiosn
Subsystem sftp /usr/libexec/sftp-server -f AUTHPRIV -l INFO

# algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256

Then run sshd -T to confirm the settings. You may need to comment the existing sftp subsystem configuration.

Reload sshd service:

# service sshd reload

And scan using sshcheck.com or SSHScan.

As rule of thumb:

  • Do no use anything with DSA or ECDSA in its name.
  • Ed25519 is mathematically strong and fast. Choose it if you have the option.
  • RSA is still considered safe, but your key should be at least 3072 bites long.

  1. Encryption methods that secure the connection itself ↩︎

  2. Message Authentication Codes are used to detect traffic modification ↩︎

  3. Key exchange methods that are used to generate per-connection keys ↩︎