SSH Hardening Guide
SSH Hardening Guide
Section titled “SSH Hardening Guide”Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ Hardened
Overview
Section titled “Overview”SSH is the primary remote access method. This guide covers the hardened configuration protecting against unauthorized access.
Current Configuration
Section titled “Current Configuration”Security Settings
Section titled “Security Settings”| Setting | Value | Purpose |
|---|---|---|
| PermitRootLogin | prohibit-password | Root via key only |
| PasswordAuthentication | no | Keys only, no passwords |
| MaxAuthTries | 3 | Limited login attempts |
| MaxSessions | 3 | Prevent session flooding |
| LoginGraceTime | 30s | Quick timeout on failed auth |
| X11Forwarding | no | Disable X11 (attack surface) |
| AllowTcpForwarding | no | Disable port forwarding |
| AllowAgentForwarding | no | Disable agent forwarding |
| LogLevel | VERBOSE | Enhanced logging |
Cryptography
Section titled “Cryptography”| Type | Algorithms |
|---|---|
| Ciphers | chacha20-poly1305, aes256-gcm, aes128-gcm |
| MACs | hmac-sha2-512-etm, hmac-sha2-256-etm |
| Key Exchange | curve25519-sha256 |
Configuration Files
Section titled “Configuration Files”Main Config: /etc/ssh/sshd_config
Section titled “Main Config: /etc/ssh/sshd_config”Key settings (defaults):
PubkeyAuthentication yesPasswordAuthentication noUsePAM yesX11Forwarding noPrintMotd noClientAliveInterval 60ClientAliveCountMax 3Hardening Config: /etc/ssh/sshd_config.d/99-hardening.conf
Section titled “Hardening Config: /etc/ssh/sshd_config.d/99-hardening.conf”# =============================================================================# SSH Hardening Configuration - iSu Technologies# Applied: 2026-02-09# =============================================================================
# Authentication hardeningPermitRootLogin prohibit-passwordMaxAuthTries 3MaxSessions 3LoginGraceTime 30
# Disable risky featuresPermitEmptyPasswords noX11Forwarding noAllowTcpForwarding noAllowAgentForwarding noPermitTunnel no
# Connection limitsMaxStartups 3:50:10
# Logging - enhanced for security monitoringLogLevel VERBOSE
# Crypto hardening - strong ciphers onlyCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.comMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.comKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# Security bannerBanner /etc/issue.netSecurity Banner: /etc/issue.net
Section titled “Security Banner: /etc/issue.net”*************************************************************************** AUTHORIZED ACCESS ONLY***************************************************************************This system is the property of iSu Technologies. Unauthorized access isprohibited. All connections are logged and monitored. By accessing thissystem, you consent to these terms. Violators will be prosecuted.***************************************************************************Quick Commands
Section titled “Quick Commands”Status Check
Section titled “Status Check”# Check SSH servicesystemctl status sshd
# Test configuration (before restart)sshd -t
# View active connectionsss -tnp | grep :22
# View auth logtail -50 /var/log/auth.logConfiguration Changes
Section titled “Configuration Changes”# Edit hardening confignano /etc/ssh/sshd_config.d/99-hardening.conf
# Test configurationsshd -t
# Apply changes (keep current session open!)systemctl restart sshd
# Verify new session works before closing old oneKey Management
Section titled “Key Management”Adding SSH Keys
Section titled “Adding SSH Keys”# On your local machine, generate key (if needed)ssh-keygen -t ed25519 -C "your_email@example.com"
# Copy to serverssh-copy-id -i ~/.ssh/id_ed25519.pub root@46.224.40.5
# Or manually add to serverecho "ssh-ed25519 AAAA... your_email" >> ~/.ssh/authorized_keyschmod 600 ~/.ssh/authorized_keysKey Security
Section titled “Key Security”# Check authorized keyscat ~/.ssh/authorized_keys
# Set correct permissionschmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keys
# Remove old/unknown keysnano ~/.ssh/authorized_keysMonitoring SSH Access
Section titled “Monitoring SSH Access”Real-Time Monitoring
Section titled “Real-Time Monitoring”# Watch auth log livetail -f /var/log/auth.log | grep -E "sshd|Accepted|Failed"
# Watch with colortail -f /var/log/auth.log | grep --color -E "Accepted|Failed|Invalid|$"Access Audit
Section titled “Access Audit”# Successful logins todaygrep "Accepted" /var/log/auth.log | grep "$(date +%b\ %d)"
# Failed attempts todaygrep "Failed" /var/log/auth.log | grep "$(date +%b\ %d)"
# Invalid users (attackers probing)grep "Invalid user" /var/log/auth.log | tail -20
# Last successful loginslast -20Troubleshooting
Section titled “Troubleshooting”Can’t Connect?
Section titled “Can’t Connect?”# From another session on the server:
# 1. Check SSH is runningsystemctl status sshd
# 2. Check configurationsshd -t
# 3. Check firewallufw status | grep 22
# 4. Check fail2ban (you might be banned)fail2ban-client status sshd | grep <YOUR_IP>
# 5. Unban yourself if neededfail2ban-client set sshd unbanip <YOUR_IP>Configuration Errors
Section titled “Configuration Errors”# Test config syntaxsshd -t
# If errors, check the hardening filecat /etc/ssh/sshd_config.d/99-hardening.conf
# Temporarily disable hardening to recovermv /etc/ssh/sshd_config.d/99-hardening.conf /tmp/systemctl restart sshd# Fix the file and move it backEmergency Access
Section titled “Emergency Access”If locked out of SSH:
- Hetzner Console: Access via Hetzner Cloud Console (robot.hetzner.com)
- Recovery Mode: Boot into rescue system
- Emergency Contact: Hetzner support
Security Checklist
Section titled “Security Checklist”- Password authentication disabled
- Root login restricted to key-only
- Strong ciphers configured
- MaxAuthTries ≤ 3
- fail2ban protecting SSH
- Security banner displayed
- VERBOSE logging enabled
- Unnecessary forwarding disabled
Related Documentation
Section titled “Related Documentation”Last hardening: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)