On This Page
Rocky Linux 8 SSH Hardening Guide
Overview
We recommend hardening your Rocky Linux servers by making changes to the SSH configuration.
-
Block X11 forwarding
-
Force the pre-authentication banner to be file
/etc/banner -
Limit the timeout interval to one hour
-
Block client alive messages from being sent to the SSH client
-
Block agent forwarding
-
Block TCP forwarding
Relevant for
- Rocky Linux 8.x - all versions
Prerequisites
TOS must be installed on the server prior to implementing this resolution.
Recommended Action
-
Edit the file
/etc/ssh/sshd_config, and set these fields to the indicated values. You may have to delete the comment character ('#') from some entries.X11Forwarding no
Banner /etc/banner
ClientAliveInterval 3600
ClientAliveCountMax 0
AllowAgentForwarding no
AllowTcpForwarding noIn addition to these fields, only modifications of KexAlgorithms, MACs, and ciphers are supported.
-
Restart the
sshdservice:
In addition, we recommend installing all official security updates and security patches for your Rocky Linux 8 version.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague