Home Configuration “Secure” config for OpenSSH 6.6 Ubuntu 14.04

“Secure” config for OpenSSH 6.6 Ubuntu 14.04

1

When using a standard Ubuntu1 14.04 installation, it will be configured half-way secure. However, to achieve no findings on vulnerability scanners like nessus, you’ll need to tweak the settings further. Another nice side-effect is, that attackers are usually using outdated systems which means that they’re not even able to get to the authentication part.

nessus_findings_for_ubuntu1404ssh

Disable Password authentication
Passwords are a bad way to authenticate. Of course, prior to setting this off you should ensure that signing in to your users by using a private key is working. Once you’ve done this, open /etc/ssh/sshd_config and set

PasswordAuthentication no

Choose strong MACs, Ciphers and Key-Exchange-Algorithms only
At the end of /etc/ssh/sshd_config append the following configuration parameters:

MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes256-ctr
KexAlgorithms ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Applying the configuration
Once this is done, you’ll need to restart the ssh deamon by running the service ssh restart command.

Important. Ensure that you try connecting to the server in a separate SSH session right after restarting or you risk not being able to log-in anymore. In case you can’t connect, try updating your SSH client.