Many people use default configs, keys, moduli, etc. from their hosters or distributions which is not a good idea. So I created this guide to secure your SSH service. It's not directed to PHP performance, but helps you to improve the security of your servers.
What we do:
- block all ports for incoming traffic
- use knockd to open the SSH port only when it's needed
- create secure keys and moduli
- restrict key exchange protocols
- restrict ciphers used to encrypt the data
- restrict message authentication codes used to ensure integrity
- restrict openssh to those features you really need
- use keys files for client authentication
1. Block the SSH port using ufw
# block ALL ports for incoming traffic ufw enable ufw limit 22/tcp
More information about ufw and connection rate limiting can be found here.
2. Install knockd
apt-get install knockd
# vi /etc/knockd.conf # open port 22 for a single IP when receiving the opening sequence # and close it 5 seconds later [options] UseSyslog [openCloseSSH] sequence = 5449:tcp,4158:tcp,5812:tcp,6947:udp seq_timeout = 5 tcpflags = syn start_command = ufw allow from %IP% to any port 22 cmd_timeout = 10 stop_command = ufw delete allow from %IP% to any port 22 # Note: choose some random port numbers for the opening sequence
# vi /etc/default/knockd # enable knockd daemon START_KNOCKD=1
# start knockd daemon /etc/init.d/knockd start
More information about knockd can be found here.
3. Secure your SSH config
This step takes a few more actions, I recommend to follow this guide:
Depending on your personal needs, you might also disable 128/192-bit ciphers "aes192-ctr", "aes128-ctr" and MACs "email@example.com", "firstname.lastname@example.org". Using Tor hidden services is also up to your choice.
I also recommend these settings in sshd_config:
# vi /etc/ssh/sshd_config LoginGraceTime 20 MaxAuthTries 1 AllowTcpForwarding no X11Forwarding no # disable sftp # Subsystem sftp /usr/lib/openssh/sftp-server
More information about sshd_config can be found here.
4. Verify your configs
sshd -t sshd -T iptables -L ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key
5. Restart SSH service
6. Test SSH connection
# use random ports chosen for knockd.conf knock <your-server-ip> 5449:tcp knock <your-server-ip> 4158:tcp knock <your-server-ip> 5812:tcp knock <your-server-ip> 6947:udp ssh -p 22 <your-user>@<your-server-ip> # check /var/log/syslog to verify knockd functionality
- To change the SSH port 22 to another port, simply replace "22" in this guide and in your /etc/ssh/sshd_config
- This guide is written for Ubuntu 15.10