sshd_config
sshd_config copied to clipboard
k4yt3x
K4YT3X's Hardened OpenSSH Server Configuration
K4YT3X's Hardened OpenSSH Server Configuration
This repository hosts my hardened version of OpenSSH server (7.4+) configuration file.
Please review the configuration file carefully before applying it. You are responsible for actions done to your own system.
Usages
- Download the file
sshd_configfrom the repository -
Review the content of the
sshd_configfile to make sure all settings are suitable for your system - Backup your current
/etc/ssh/sshd_configfile - Overwrite the old
sshd_configfile with the downloadedsshd_configfile - Run the appropriate command to restart the SSH service (e.g.,
sudo systemctl restart ssh)
# download the configuration file from GitHub using curl or other methods
curl https://raw.githubusercontent.com/k4yt3x/sshd_config/master/sshd_config -o ~/sshd_config
# backup the original sshd_config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# replace the old sshd_config with the new one
sudo mv ~/sshd_config /etc/ssh/sshd_config
# make sure the file has the correct ownership and permissions
sudo chown root:root /etc/ssh/sshd_config
sudo chmod 644 /etc/ssh/sshd_config
# use systemctl to reload the SSH server and apply the new configurations
# on some distributions the SSH server service is called sshd
sudo systemctl restart ssh
For convenience, I have pointed the URL https://k4t.io/sshd to the sshd_config file. You may therefore download the sshd_config file with the following command. However, be sure to check the integrity of the file after downloading it if you choose to download using this method.
curl -L k4t.io/sshd -o sshd_config
It's recommended to use the ssh-audit script to check the cryptographic strength of your SSH server after done configuring it.
Deactivating Short Diffie-Hellman Moduli
Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at lest 3072 bits long according to Mozilla's OpenSSH server hardening guide. This can be done with the following commands.
# backup original moduli file
cp /etc/ssh/moduli /etc/ssh/moduli.backup
# find lines with moduli >= 3071 bits and save them to moduli.tmp
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
# overwrite original moduli file with the updated one
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
k4yt3x