/sshd_config

K4YT3X's Hardened OpenSSH Server Configuration

GNU General Public License v3.0GPL-3.0

IceCodeNew's Hardened OpenSSH Server Configuration

This repository hosts my hardened version of OpenSSH server (7.4+) configuration file.

Please review the configuration file carefully before applying it. You are responsible for actions done to your own system.

Usages

  1. Download the file sshd_config from the repository
  2. Review the content of the sshd_config file to make sure all settings are suitable for your system
  3. Backup your current /etc/ssh/sshd_config file
  4. Overwrite the old sshd_config file with the downloaded sshd_config file
  5. Run the appropriate command to restart the SSH service (e.g., sudo systemctl restart ssh)
# download the configuration file from GitHub using curl or other methods
cd ~ || exit 1
curl -LROJq --retry 5 --retry-delay 10 --retry-max-time 60 'https://raw.githubusercontent.com/IceCodeNew/sshd_config/master/sshd_config'

# backup the original sshd_config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# replace the old sshd_config with the new one
# should also make sure the file has the correct ownership and permissions
sudo install -o root -g root -m 644 ~/sshd_config /etc/ssh/sshd_config
rm ~/sshd_config

# use systemctl to reload the SSH server and apply the new configurations
# on some distributions the SSH server service is called sshd
sudo systemctl restart ssh

For convenience, I have pointed the URL https://akas.io/sshd to the sshd_config file. You may therefore download the sshd_config file with the following command. However, be sure to check the integrity of the file after downloading it if you choose to download using this method.

curl -sSL akas.io/sshd -o sshd_config

It's recommended to use the ssh-audit script to check the cryptographic strength of your SSH server after done configuring it.

Deactivating Short Diffie-Hellman Moduli

Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at lest 3072 bits long according to Mozilla's OpenSSH server hardening guide. This can be done with the following commands.

# backup original moduli file
cp /etc/ssh/moduli /etc/ssh/moduli.backup

# find lines with moduli >= 3071 bits and save them to moduli.tmp
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp

# overwrite original moduli file with the updated one
mv /etc/ssh/moduli.tmp /etc/ssh/moduli