SSH Hardening

Exercises

1. 1. Disable root login

   Concept: root login. root is the administrator account with unlimited rights. Allowing root to log in directly over SSH is a "game-over" risk: whoever guesses the password instantly owns the whole server. Secure servers forbid direct root login — you log in as a normal user and use sudo when needed.

   Open the config with sudo nano /etc/ssh/sshd_config, find the PermitRootLogin line and set it to:

   PermitRootLogin no

   Save with Ctrl+O, Enter, exit with Ctrl+X. Then reload the service:

   sudo systemctl reload ssh

   Check: sshd -T | grep permitrootlogin must output permitrootlogin no.

2. 2. Switch off password authentication

   Concept: public-key vs. password login. With password login you type a password — bots can brute-force it. With public-key authentication the user holds a private key and the server only knows the matching public key. Without the private key nobody gets in — orders of magnitude safer and impossible to guess.

   Switch off password login in /etc/ssh/sshd_config:

   PasswordAuthentication no

   Then reload:

   sudo systemctl reload ssh

   Your existing public-key access is unaffected — so you will not lock yourself out.

   Check: sshd -T | grep passwordauthentication must show passwordauthentication no.

3. 3. Limit login attempts to 3

   Concept: MaxAuthTries. This directive limits how many authentication attempts are allowed per connection. The default is 6 — giving brute-force tools needlessly many tries. With 3 the server closes the connection sooner, and protection tools like fail2ban kick in faster.

   Set in /etc/ssh/sshd_config:

   MaxAuthTries 3

   Then reload:

   sudo systemctl reload ssh

   Check: sshd -T | grep maxauthtries must show maxauthtries 3.

4. 4. Close idle sessions after 5 minutes

   Concept: idle timeout. An open SSH session in an unattended terminal is an entry point — someone could take it over. ClientAliveInterval defines after how many seconds of inactivity the server ends an idle session. 300 = 5 minutes.

   Set in /etc/ssh/sshd_config:

   ClientAliveInterval 300

   Then reload:

   sudo systemctl reload ssh

   Check: sshd -T | grep clientaliveinterval must show clientaliveinterval 300.

5. 5. Allow SSH only for the student user

   Concept: whitelist with AllowUsers. Instead of allowing all users and blocking individuals (blacklist), you allow only explicitly named users (whitelist) — far safer.

   Add the allowed users in /etc/ssh/sshd_config:

   AllowUsers student ssh-validator

   Then reload:

   sudo systemctl reload ssh

   ⚠️ Important: ssh-validator must be in the list — otherwise you lock out the platform validator and the task cannot pass.

   Check: sshd -T | grep allowusers must contain student and ssh-validator.

6. 6. Enable login banner

   Concept: login banner. A banner is a notice shown before login. It serves legally as a warning ("authorized access only") and deters attackers.

   First create the warning text, then point to it in the SSH config.

   Create the banner file:

   echo 'Authorized access only. All activity is monitored.' | sudo tee /etc/issue.net

   Set the banner line in /etc/ssh/sshd_config:

   Banner /etc/issue.net

   Then reload:

   sudo systemctl reload ssh

   Check: sshd -T | grep banner must show /etc/issue.net.

7. 7. Reload sshd and verify public-key auth

   Concept: effective vs. merely configured. Changes to sshd_config take effect only after systemctl reload ssh. And only sshd -T shows the actually loaded configuration — looking at the file is not enough, because a typo could stop it from loading at all.

   Make sure public-key authentication is enabled, reload the service, and verify the result:

   sudo systemctl reload ssh
   sshd -T | grep -i pubkeyauthentication

   The output must contain pubkeyauthentication yes.

   Check: The validator confirms that sshd was reloaded and public-key auth is effectively active.