How to Harden the SSH Server (`sshd_config`) on FreeBSD

Secure Shell (SSH) is a critical service for remote administration on FreeBSD, but an improperly configured SSH server (sshd) can expose the system to attacks. This guide provides a comprehensive approach to hardening sshd_config to enhance security.

1. Backup the Current Configuration

Before making any changes, back up the existing sshd_config file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This allows you to restore the original settings if needed.

2. Restrict Root Login

Disabling root login over SSH helps prevent brute-force attacks on the root account.

Edit /etc/ssh/sshd_config and locate the PermitRootLogin directive:

PermitRootLogin no

Restart SSH for changes to take effect:

service sshd restart

3. Use Key-Based Authentication

Disable password authentication to force the use of SSH keys.

In /etc/ssh/sshd_config, modify these settings:

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no

Ensure you have set up SSH keys before applying these changes, or you may lock yourself out.

4. Change the Default SSH Port

Changing the default SSH port (22) can help reduce automated attacks.

Modify the Port directive in /etc/ssh/sshd_config:

Port 2222  # Choose an unused port above 1024

Restart SSH for changes to apply.

5. Allow Specific Users or Groups

Restricting SSH access to specific users or groups adds an extra layer of security.

In /etc/ssh/sshd_config, specify allowed users or groups:

AllowUsers username1 username2
AllowGroups sshusers

6. Disable SSH Protocol 1

SSH Protocol 1 is outdated and insecure. Ensure that only Protocol 2 is used:

Protocol 2

7. Limit the Number of Authentication Attempts

To prevent brute-force attacks, limit authentication attempts:

MaxAuthTries 3
MaxSessions 2

8. Enable Login Time Restrictions

Use /etc/ssh/sshd_config to restrict login times for additional security:

LoginGraceTime 30s

This setting forces SSH to close connections that are not authenticated within 30 seconds.

9. Disable TCP Forwarding and X11 Forwarding

Unless necessary, disable forwarding to prevent tunneling attacks:

AllowTcpForwarding no
X11Forwarding no

10. Enable Strict Mode for SSH Keys

Ensure SSH keys have proper permissions to prevent unauthorized access:

StrictModes yes

11. Use a Strong Ciphers, MACs, and Key Exchange Algorithms

Strengthen SSH encryption by specifying strong ciphers, MACs, and key exchange algorithms:

Ciphers aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org

12. Enable Logging

Ensure that SSH login attempts and other relevant logs are recorded for auditing:

LogLevel VERBOSE

Logs can be viewed using:

tail -f /var/log/auth.log

13. Use a Firewall to Restrict SSH Access

Use pf (Packet Filter) to restrict SSH access to specific IPs:

Edit /etc/pf.conf:

table <trusted_ips> { 192.168.1.100, 203.0.113.50 }
block in quick on egress proto tcp from any to any port 2222
pass in quick on egress proto tcp from <trusted_ips> to any port 2222

Apply the changes:

service pf reload

14. Set Idle Timeout for SSH Sessions

To automatically disconnect inactive SSH sessions:

ClientAliveInterval 300
ClientAliveCountMax 0

This forces a logout after 5 minutes of inactivity.

15. Enable Two-Factor Authentication (2FA)

Install Google Authenticator for an additional security layer:

pkg install pam_google_authenticator

Enable it in /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Conclusion

Hardening sshd_config is an essential step in securing a FreeBSD server. By following these best practices, you can significantly reduce security risks and protect your system from unauthorized access. Regularly update OpenSSH and review security logs to stay ahead of potential threats.