... it's better to have good questions

Hardening SSH for audit

2021-02-19 2 min read technology Ronny Trommer

Running a server in the public requires some additional work. Especially if you want management access via SSH for Ansible or if you want break stuff manually with fiddeling around :)

You can run an SSH audit of your public server using This section here is a very condensed way to get an A rating.

Just use strong host key for authentication of the host

# file: /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

Delete existing keys and re-generate the RSA and ED25519 keys

cd /etc/ssh
rm ssh_host_*key*
ssh-keygen -t ed25519 -q -N "" -f ssh_host_ed25519_key
ssh-keygen -t rsa -b 4096 -q -N "" -f ssh_host_rsa_key

Restrict supported key exchange, cipher, and MAC algorithms

echo -e "\n# Restrict key exchange, cipher, and MAC algorithms, as per\n# hardening guide.\nKexAlgorithms curve25519-sha256,,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256\nCiphers,,,aes256-ctr,aes192-ctr,aes128-ctr\nMACs,,\nHostKeyAlgorithms ssh-ed25519,,,,rsa-sha2-256,rsa-sha2-512,," > /etc/ssh/sshd_config.d/ssh-audit_hardening.conf

Remove small Diffie-Hellman moduli

cp /etc/ssh/moduli /etc/ssh/moduli.backup
awk '$5 > 4095' /etc/ssh/moduli > "/etc/ssh/"
mv /etc/ssh/ /etc/ssh/moduli

If there is no moduli file you can create it (may take hours)

ssh-keygen -G /etc/ssh/moduli.all -b 4096
ssh-keygen -T /etc/ssh/ -f /etc/ssh/moduli.all
mv /etc/ssh/ /etc/ssh/moduli
rm /etc/ssh/moduli.all

Restart OpenSSH server

systemctl restart sshd

Clients should use strong encryption

# file: /etc/ssh/ssh_config
HashKnownHosts yes
ConnectTimeout 30
ServerAliveInterval 10
ControlMaster auto
ControlPersist yes
ControlPath ~/.ssh/socket-%r@%h:%p

For more details hardening SSH the following articles I’ve found useful: