fix(ssh): define useful ways for hardening

2026-02-08 21:34:25 +00:00 · 2024-09-30 19:08:16 +02:00
parent 520807f6cc
commit 59397fd100
3 changed files with 105 additions and 26 deletions
--- a/knocking.md
+++ b/knocking.md
@@ -1,14 +1,16 @@
 # Set up port knocking

 Technique where a daemon keeps listening on specific ports for a specific sequence of connections.<br/>
-When the correct sequence is used, the daemon issues a configured command, usually to open a defined port for the client only.
+When the correct sequence is used, the daemon issues a configured command, usually to open a defined port for the client
+only.

 This is frequently used to open the SSH port in a server for a specific client.

 See [Knockd].

 <!--
-  References
+  Reference
+  ═╬═Time══
  -->

 <!-- Knowledge base -->
--- a/base/ssh.md
+++ b/base/ssh.md
@@ -8,10 +8,9 @@
   1. [Optimize connection handling](#optimize-connection-handling)
   1. [Integrate with GnuPG](#integrate-with-gnupg)
 1. [Server configuration](#server-configuration)
-   1. [Change port](#change-port)
-   1. [Disable password authentication](#disable-password-authentication)
-   1. [Permit root login](#permit-root-login)
+   1. [Change listening port](#change-listening-port)
   1. [Conditional blocks](#conditional-blocks)
+   1. [Hardening](#hardening)
 1. [SSHFS](#sshfs)
   1. [Installation](#installation)
 1. [Troubleshooting](#troubleshooting)
@@ -293,35 +292,108 @@ Include /usr/etc/ssh/sshd_config.d/*.conf
 This avoids issues from updates overwriting the default file and allows user configurations to override defaults in a
 cleaner way.

-### Change port
+### Change listening port

 ```ssh-config
 Port 2222
 ```

-### Disable password authentication
-
-```ssh-config
-PasswordAuthentication no
-ChallengeResponseAuthentication no
-```
-
-### Permit root login
-
-```ssh-config
-PermitRootLogin yes
-```
-
 ### Conditional blocks

-> Only a subset of keywords may be used in a _Match_ block. Check the [`SSHD_CONFIG(5)`][sshd_config man page] man page.
+> Only a subset of keywords may be used in a _Match_ block.<br/>
+> Check the [`SSHD_CONFIG(5)`][sshd_config man page] man page for more information.

 ```ssh-config
 Match Address 192.168.111.0/24
    PasswordAuthentication no
    PermitRootLogin no
+Match User ashley
+    AllowUsers ashley@203.0.113.1
 ```

+### Hardening
+
+Don't bother changing the SSH port from the default `22` value unless you require it for other purposes.<br/>
+Security through obscurity is utterly ineffective and can create issues with tools expecting standard usage
+<sup>
+[1][Why I don't change SSH from port 22],
+[2][Security Through Obscurity (STO): History, Criticism & Risks]
+</sup>.
+
+Suggestions:
+
+- Disable `root` login:
+
+  ```ssh-config
+  PermitRootLogin no
+  ```
+
+  Or limit it to keys:
+
+  ```ssh-config
+  PermitRootLogin prohibit-password
+  ```
+
+- Limit the maximum number of authentication attempts for any login session:
+
+  ```ssh-config
+  MaxAuthTries 3
+  ```
+
+- Limit the amount of time user have to complete authentication after the initial connection:
+
+  ```ssh-config
+  LoginGraceTime 20
+  ```
+
+- Disable authentication with empty passwords:
+
+  ```sh
+  PermitEmptyPasswords no
+  ```
+
+- Disable password authentication altogether:
+
+  ```ssh-config
+  PasswordAuthentication no
+  ```
+
+- Restrict authentication options to keys:
+
+  ```ssh-config
+  ChallengeResponseAuthentication no
+  ```
+
+- Disable other authentication methods if not used:
+
+  ```ssh-config
+  ChallengeResponseAuthentication no
+  KerberosAuthentication no
+  GSSAPIAuthentication no
+  ```
+
+- Disable other features if not used:
+
+  ```ssh-config
+  AllowAgentForwarding no
+  AllowTcpForwarding no
+  PermitTunnel no
+  X11Forwarding no
+  ```
+
+- Restrict login to specific IP addresses:
+
+  ```ssh-config
+  AllowUsers*@203.0.113.1 *@203.0.113.2 *@192.0.2.0/24 *@172.16.*.1 sammy@203.0.113.1 alex@203.0.113.2
+  Match User ashley
+      AllowUsers ashley@203.0.113.1
+  ```
+
+- Temporarily block IPs after repeated authentication failures.<br/>
+  See [fail2ban].
+
+- [Set up port knocking].
+
 ## SSHFS

 Notable options:
@@ -388,6 +460,7 @@ Solution: update the SSH server.
 - [`sshd_config` example][sshd_config example]
 - [ssh-agent]
 - [Use GPG keys for SSH authentication]
+- [Security Through Obscurity (STO): History, Criticism & Risks]

 ### Sources

@@ -402,6 +475,8 @@ Solution: update the SSH server.
 - [Restrict SSH login to a specific IP or host]
 - [Stick with security: YubiKey, SSH, GnuPG, macOS]
 - [How to check if an RSA public / private key pair match]
+- [Why I don't change SSH from port 22]
+- [How To Harden OpenSSH on Ubuntu 20.04]

 <!--
  Reference
@@ -410,6 +485,7 @@ Solution: update the SSH server.

 <!-- Knowledge base -->
 [use gpg keys for ssh authentication]: gnupg.md#use-gpg-keys-for-ssh-authentication
+[set up port knocking]: set%20up%20port%20knocking.md

 <!-- Files -->
 [ssh_config example]: ../examples/ssh/ssh_config
@@ -422,14 +498,18 @@ Solution: update the SSH server.
 [sshd_config man page]: https://man.openbsd.org/sshd_config

 <!-- Others -->
+[fail2ban]: https://github.com/fail2ban/fail2ban
 [get started with openssh for windows]: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
 [how to check if an rsa public / private key pair match]: https://serverfault.com/questions/426394/how-to-check-if-an-rsa-public-private-key-pair-match#426429
 [how to enable ssh access using a gpg key for authentication]: https://opensource.com/article/19/4/gpg-subkeys-ssh
+[how to harden openssh on ubuntu 20.04]: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04
 [how to list keys added to ssh-agent with ssh-add?]: https://unix.stackexchange.com/questions/58969/how-to-list-keys-added-to-ssh-agent-with-ssh-add
 [how to perform hostname canonicalization]: https://sleeplessbeastie.eu/2020/08/24/how-to-perform-hostname-canonicalization/
 [how to reuse ssh connection to speed up remote login process using multiplexing]: https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
 [multiple similar entries in ssh config]: https://unix.stackexchange.com/questions/61655/multiple-similar-entries-in-ssh-config
 [restrict ssh login to a specific ip or host]: https://docs.rackspace.com/support/how-to/restrict-ssh-login-to-a-specific-ip-or-host/
+[security through obscurity (sto): history, criticism & risks]: https://www.okta.com/uk/identity-101/security-through-obscurity/
 [stick with security: yubikey, ssh, gnupg, macos]: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos
 [use sshfs to mount a remote directory as a volume on osx]: https://benohead.com/mac-os-x-use-sshfs-to-mount-a-remote-directory-as-a-volume/
 [using the ssh config file]: https://linuxize.com/post/using-the-ssh-config-file/
+[why i don't change ssh from port 22]: https://www.youtube.com/watch?v=Fzt5dqaIMYc
--- a/base/turris
+++ b/base/turris
@@ -464,12 +464,9 @@ uci commit 'dhcp' && reload_config && luci-reload

 ## Hardening

-Suggestions:
+See:

- [SSH]:
-  - Change the SSH port from the default `22` value.
-  - Restrict login to specific IP addresses.
-  - Restrict authentication options to keys.
+- [SSH hardening].

 ## The SFP+ caged module

@@ -577,7 +574,7 @@ All the references in the [further readings] section, plus the following:
 [openwrt]: openwrt.md
 [opkg]: opkg.md
 [pi-hole]: pi-hole.md
-[ssh]: ssh.md
+[ssh hardening]: ssh.md#hardening
 [uci]: uci.md

 <!-- Upstream -->