Server
Most of the commands in the server section must be run with root privileges.
Always start by making sure the operating system and packages are updated.
Regenerate host identification keys.
After completing this step, the SSH client may give an error saying that the host identification key has changed and will not allow the connection to go through;
this can be fixed by removing the SSH host from ~/.ssh/known_hosts.
Then generate SSH moduli:
Restart the SSH service:
Optionally check your server with ssh-audit
:
Alternatively, if the SSH server is publicly accessible, it can be checked and scored on sshaudit.com.
Client
Hardening the SSH client is just as important as hardening the SSH server. Some attack vectors are left open if either the SSH server or client has not taken precautions to mitigate the vulnerability.
Hardening the SSH client for the current user is as simple as running the following command:
Optionally, use ssh-audit
to check and make sure the client configuration is good:
Open a new terminal and run: