Strengthen SSH login security

1 Server

The followings are tested on Ubuntu Desktop 22.04.

1.1 Configure /etc/ssh/sshd_config

# Do not permit root login via SSH
PermitRootLogin no

# Reduce the number of login attempts
MaxAuthTries 3

# Allow non-administrator (regular) users to log in via either SSH key or password
PubkeyAuthentication yes
PasswordAuthentication yes

# Allow administrators to log in using SSH keys only
Match Group sudo
        PasswordAuthentication no
        AuthenticationMethods publickey

# Prohibit SFTP file-transfer users from accessing bash
Subsystem   sftp    internal-sftp
Match Group slbsftp
    ChrootDirectory /archive
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

# Keep SSH connection alive
# This is not secure
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 120

# Logging
LogLevel VERBOSE

1.2 Configure fail2ban

Use fail2ban to monitor SSH login.

# install fail2ban
sudo apt update
sudo apt install fail2ban

# enable fail2ban
sudo systemctl enable --now fail2ban

# use jail.local instead of jail.conf to configure fail2ban
cd /etc/fail2ban
sudo cp jail.conf jail.local
vim jail.local

# write the following configurations to jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 ::1
bantime.increment = true
bantime.factor = 6
bantime.maxtime = 604800
bantime = 600
findtime = 10m
maxretry = 4

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s

# test configuration files
fail2ban-client -t

# reload fail2ban
sudo systemctl reload fail2ban

# check whether fail2ban is enabled for sshd
sudo fail2ban-client status sshd

# check real-time log
tail -f /var/log/fail2ban.log

# ban or unban IP manually
fail2ban-client set sshd banip 1.2.3.4
fail2ban-client set sshd unbanip 1.2.3.4

2 Client

2.1 Generate SSH key

mkdir ~/.ssh
chmod 700 ~/.ssh
# Never use an empty passphrase
ssh-keygen -t ed25519 -a 500 -C "example@qq.com" -f id_ed25519
chmod 600 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519.pub

2.2 Use VeraCrypt to save SSH keys and passwords

For convenience, you can create an encrypted file container (standard/hidden) to save SSH keys and passwords using VeraCrypt. You should use a highly complicated password to encrypt it. You can also set PIM instead of using the default.

You can use the following script to generate a highly complicated password and its Base64 string:

# character code point in character set (e.g., unicode), which gives each character an unique number -->
# encoding rule (e.g., utf-8), which determines how each code point is stored on disk as a binary (byte) sequence -->
# binary (byte) sequence -->
# base64 rule -->
# 64 safe ASCII characters
using Base64

password_length = 30
output_file = "test.txt"

password_io = IOBuffer()
cmd = Cmd(["sh", "-c", "LC_ALL=C tr -dc 'A-Za-z0-9!@#%&*_+=-' < /dev/urandom | head -c $(password_length)"])
pl = pipeline(cmd; stdout=password_io)
run(pl; wait=true)

password_str = String(take!(password_io))
password_b64 = base64encode(password_str)
password_b64_str = String(base64decode(password_b64))

if password_str == password_b64_str
    open(output_file, "w") do io
        println(io, string("String:", password_str, "\nBase64:", password_b64))
    end
    @info "OK"
end

2.3 Create symbolic links of SSH keys

Mount the encrypted volume and create symbolic links of SSH keys:

# MAC OS/Linux
ln -s /Volumes/Keys/ssh_keys/id_ed25519 ~/.ssh/id_ed25519
ln -s /Volumes/Keys/ssh_keys/id_ed25519.pub ~/.ssh/id_ed25519.pub
# Windows
New-Item -ItemType SymbolicLink -Path ~\.ssh\id_ed25519 -Target R:\ssh_keys\id_ed25519
New-Item -ItemType SymbolicLink -Path ~\.ssh\id_ed25519.pub -Target R:\ssh_keys\id_ed25519.pub

2.4 Use ssh-agent to host SSH key

You can add your SSH key to ssh-agent. This way, you only need to mount the encrypted volume and enter your SSH key passphrase once when you power on your computer. After that, ssh-agent will handle all SSH authentication tasks.

# MAC OS/Linux
# Generally, ssh-agent is already enabled by default when the computer is powered on, so you don't need to start it manually
# write the following code to ~/.bashrc or ~/.zshrc
# try to add the given ssh key to ssh-agent
ssh_private_key_path=~/.ssh/id_ed25519
case "$(
    ssh-add -l >/dev/null 2>&1
    echo $?
)" in
0)
    echo 'At least one key has been added to ssh-agent, use `ssh-add -l` to see more'
    ;;
1)
    echo 'There is no key added to ssh-agent, adding the given now ...'
    if [[ -L $ssh_private_key_path && -e $ssh_private_key_path ]]; then
        ssh-add $ssh_private_key_path
        echo 'The given ssh key has been added to ssh-agent successfully'
    else
        echo 'Failed to add the given ssh key because its path is invalid'
    fi
    ;;
2)
    echo 'ssh-agent is not enabled, please enable it first \
        (the way to start ssh-agent may vary across different platforms)'
    ;;
esac
# Windows
# Enable ssh-agent
# Method 1: run PowerShell as administrator and enter the following code
Set-Service -Name ssh-agent -StartupType Automatic
Start-Service ssh-agent
# Method 2: Win + R --> Type services.msc --> Locate OpenSSH Authentication Agent --> Right-click Properties --> Change the Startup type to Automatic --> Click Start
# Use the following code to check whether ssh-agent is running
Get-Service ssh-agent
# Add SSH key to ssh-agent
ssh-add ~\.ssh\id_ed25519
# Use the following code to list cached SSH keys (you may need to run it twice)
ssh-add -l

3 Misc

1. Filter administrators

getent group sudo wheel admin

2. Delete Julia history

rm -f ~/.julia/logs/*

3. Delete shell history

• Zsh

[ -n "$ZSH_VERSION" ] && {
    fc -p
    [ -f ~/.zsh_history ] && : > ~/.zsh_history
    [ -f ~/.zhistory  ] && : > ~/.zhistory
    [ -d ~/.zsh_sessions ] && rm -rf ~/.zsh_sessions/*
    unset HISTFILE
}

• Bash

[ -n "$BASH_VERSION" ] && {
    history -c
    [ -f ~/.bash_history ] && > ~/.bash_history
    unset HISTFILE
}