Basic Primer for Securing SSH

(Super Secure) Secure Shell Simplified

Key Exchange is Important for Secure SSH
Key Exchange is Important for Secure SSH

Let’s face it, securing Secure Shell (or SSH) can be about as confusing as the plot of the movie Primer. But, like the movie, it’s worth the effort. Although you can find a full guide on secure secure shell online, we’re going to give you an overview of some of the best practices you need to follow if you really want to be secure when using SSH. You might be surprised at how easy it is to listen in if it’s not set up correctly.

Best Practices for Securing SSH

Here is a summary of the main things you want to carefully consider if you use SSH and want to remain safe and secure.

  • Key Exchange – Basically, you’re going to want to use : Diffie-Hellman or Elliptic Curve Diffie-Hellman to do a key exchange. This is because they both provide forward secrecy, which makes it harder for people to snoop. As you probably know, OpenSSH currently supports 8 key exchange protocols. The ones you want to use are curve25519-sha256: ECDH over Curve25519 with SHA2 OR diffie-hellman-group-exchange-sha256: Custom DH with SHA2.
  • Server Authentication – You can use four public key algorithms for server authentication. Of those four, your best bet (for being secure) is to use RSA with SHA1 for your server authentication needs. The trick is in making sure you disable the public key algorithms you are NOT going to be using. This is easily handled with a few commands. Make sure you init files don’t reload the keys you don’t want to use.
  • Client Authentication – After you set up something more secure, you want to make sure you disable password authentication, which is vulnerable to brute force attacks. It’s much better to use public key authentication – just like on the server side. Another option is to use OTP (one time passwords) in order to make it harder for the bad guys to snoop on your secure data connection to try to learn more about you.
  • User Authentication – This is an important aspect of setting up a server to accept truly secure SSH connections. Basically, you want to create a whitelist of allowed users. Doing this will block anyone not on the list from even attempting to sign-in. If you have a large number of users who will be connecting to the server via SSH, you’ll want to use AllowGroups instead of AllowUser, but this is still relatively easy to set up.
  • Symmetric ciphers – When it comes to symmetric ciphers, you have a few algorithms available. Once again, it’s up to you to choose the best ones for security. In this case, you’re going to want to use chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr,aes192-ctr, and aes128-ctr.
  • Message Authentication Codes – If you’re using an AE cipher mode, you won’t need to worry about MACs because they’re already included. On the other hand, if you went the CTR route, you’re going to want to use MAC to tag every  message. Encrypt-then-MAC is the only method that should be used if you want to make sure you’re as secure as possible when using SSH.
  • Traffic Analysis – Last but not least, you’re going to want to use Tor hidden services for your SSH servers. By using this, you’re going to make it even harder for the bad guys by adding yet another layer of protection. If you’re not using LAN, make sure to turn that off.

When you’re done checking and changing all of the above, you’re going to want to run ssh -v in order to check the changes you made to your system. That simple command will list all the algorithms you decided to use so you can easily double-check your work.

Also, Harden Your System!

These are good tips for any server connected to the internet, but they’re also extremely useful for making sure your SSH connections are as secure as possible.

  • Only install necessary software. More code equals more opportunities for bugs and exploits that can be used by malicious hackers.
  • Use FOSS (Free/Open Source Software) when possible to ensure you have access to the source code. This will allow you to vet the code yourself.
  • Update your software as often as possible. This will help you avoid known problems that can be exploited by the bad guys.

As mentioned, the tips above are things you should be doing whether or not you’re trying to secure your SSH connections to the server.

The SSL Takeaway

The SSL takeaway is that even if something has the word “secure” or “security” in its name, it doesn’t mean it’s going to be as hardened against attacks as possible if you don’t set it up correctly. If you’re in charge of a server and frequently use SSH to connect to it (or allow others to) you’re going to want to take the time to set it up correctly to make sure you’ve got maximum security.

At SSL.com, we believe in making the SSL Best Practices as easy to understand and implement as possible.