On many vulnerability scans we see SSH being reported as a medium risk vulnerability due to insecure ciphers and poor configurations. In penetration tests we often find we are able to use SSH once we have a set of user credentials, especially where the service is linked through to a centralised password management solution such as Active Directory.
To aid in remediation, here is Peter Bassill’s recommended SSH configuration:
Port 22 KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr MACs firstname.lastname@example.org,email@example.com,hmac-sha2-512,hmac-sha2-256 Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox KeyRegenerationInterval 3600 ServerKeyBits 1024 SyslogFacility AUTH LogLevel INFO
LoginGraceTime 60 PermitRootLogin no AllowUsers [insert named individuals who actually need SSH access] StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no
X11Forwarding no X11DisplayOffset 10 PrintMotd yes PrintLastLog yes TCPKeepAlive yes Banner /etc/banner AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes