Posted inSecurity

Hardening SSH Server Security with ssh-audit: Eliminating Weak Algorithms for 2024

Security tutorial - IT technology blog
Security tutorial - IT technology blog

Scan Your SSH Server in 5 Minutes

Just rented a new VPS or managing a cluster that’s been running for a year? Don’t blindly trust default provider configurations. In reality, many Linux distributions still enable legacy algorithms for compatibility, unknowingly creating security holes for attackers to exploit.

Installing ssh-audit on Ubuntu/Debian takes only a few seconds:

sudo apt update
sudo apt install ssh-audit -y

If you’re on a Mac or want the latest version via Python pip:

pip3 install ssh-audit

Now, run a quick check (replace IP with your server address):

ssh-audit 1.2.3.4

The output will show three distinct colors: Green (Safe), Yellow (Warning), and Red (Critical). If you see a “blood-red” list under Ciphers or MACs, your server needs immediate attention.

Why Default Configurations Are Often… Not Okay

Many admins wonder why Ubuntu or CentOS keep weak algorithms. The sole reason is compatibility. They want to ensure clients from a decade ago can still connect. However, in today’s environment where botnets scan port 22 thousands of times daily, this compromise is extremely risky.

During a recent system audit for a client, I discovered a server still using diffie-hellman-group1-sha1. This “prehistoric” algorithm is easily broken or vulnerable to downgrade attacks even with mid-range hardware. ssh-audit exposes vulnerabilities like Terrapin (CVE-2023-48795) that are invisible to the naked eye in config files.

Decoding ssh-audit Components

This tool focuses on analyzing 4 core security layers:

  • Host Keys: Server identification. Prioritize ed25519 or rsa-sha2-512. If you see ssh-rsa (which uses SHA-1), remove it immediately.
  • Key Exchange (KEX): How both parties agree on a secret key. curve25519-sha256 is currently the undisputed choice for speed and security.
  • Ciphers: The data encryption layer. You should only use chacha20-poly1305 or aes-gcm.
  • MACs: Ensures data integrity during transmission.

Reading the Report: Beyond Just Colors

The biggest advantage of ssh-audit is the Recommendations section at the end of the scan. Instead of just dry error reports, it provides “step-by-step” guidance by listing the exact lines to copy and paste. You’ll save at least 30 minutes of manual documentation research.

Optimizing SSH Configuration to “Fortress” Standards

Once you’ve identified the weaknesses, start tightening security. Open the main configuration file with:

sudo nano /etc/ssh/sshd_config

Below is a modern configuration template I typically apply. It completely removes outdated algorithms and keeps only the strongest ones:

# High-security Key Exchange
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

# Modern encryption algorithms to prevent Terrapin attacks
Ciphers [email protected],[email protected],[email protected]

# Strong data authentication (EtM)
MACs [email protected],[email protected],[email protected]

# Secure Host Key algorithms
HostKeyAlgorithms ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256

Before restarting, check for any syntax errors:

sudo sshd -t
sudo systemctl restart ssh

Warning: Ensure your SSH client (like the latest PuTTY or Termius) supports these algorithms. If you use an outdated version, you might lock yourself out of your server immediately!

Best Practices for a Secure Server

If you haven’t set up SSH Keys yet, use the password generation tool at toolcraft.app/en/tools/security/password-generator. This tool runs entirely in your browser, ensuring complex passwords are never exposed over the network.

Besides hardening algorithms, you should apply 3 small but highly effective tips:

  1. Change the default SSH port: Moving from port 22 to a random number (e.g., 2289) helps evade up to 90% of automated botnet scans.
  2. Disable Passwords: Switch to SSH Keys and disable PasswordAuthentication. This is the strongest barrier against brute-force attacks.
  3. Restrict Access IPs: If you have a static IP, use a Firewall (UFW) to only allow yourself to “knock on the door.”

Security is a continuous journey, not a one-time task. Every time you update your system, take a minute to rerun ssh-audit to ensure everything is still under control. Good luck building a rock-solid system!

Share:
Tags: