published
priority 4
20 min. 40 XP.
SSH Hardening Without Locking Yourself Out
Classic mistake: team hardens sshd_config, restarts sshd, and promptly loses access. This lesson covers the safe sequence. test in a second terminal before closing your first session, preserve scoring-engine keys, and understand the permission triad.
Prerequisites
Objectives
- Know every directive that matters for hardening: PermitRootLogin, MaxAuthTries, PubkeyAuthentication, AllowUsers
- Back up and restore sshd_config
- Use `sshd -T` to validate config without restarting
- The permission triad: 700 on ~/.ssh, 600 on authorized_keys
- Preserve scoring-engine keys during hardening
Quick reference
| Command | Purpose |
|---|---|
| systemctl status sshd | Is SSH up? |
| sshd -T | less | Effective config after parsing |
| cp /etc/ssh/sshd_config /root/sshd_config.backup | Back up before editing |
| tail -20 /var/log/auth.log | Recent authentication events |
| chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys | Permission triad |
| fail2ban-client status sshd | Is fail2ban holding any bans? |
Common pitfalls
- Setting `PasswordAuthentication no` before your team has deployed keys
- Running `chown -R user:user ~` which changes `.ssh` ownership away from the user
- Blocking the scoring engine with fail2ban. whitelist their IP in jail.local
- Deleting `authorized_keys` entries without a backup. scoring engine keys are gone forever
- Setting `AllowUsers you` without including the scoring users
Skill drills
-
1. Which sshd_config option disables root SSH login?PermitRootLogin no
-
2. Required permission mode for ~/.ssh?700
-
3. Required permission mode for authorized_keys?600
-
4. Command that validates sshd_config without restarting sshd?sshd -T
NCAE scoreboard patterns this lesson prevents
- 2,502.8 SSH Login. Failed to connect to host: IP
- 44.4 SSH Login. The following users failed to authenticate with their public key: nills, vetomo
- 44.4 SSH Login. The following users failed to authenticate with their public key: vetomo, nills
- 36.1 SSH Login. The following users failed to authenticate with their public key: simone_weil, todd_k
- 36.1 SSH Login. The following users failed to authenticate with their public key: vetomo, todd_k
- 30.6 SSH Login. The following users failed to authenticate with their public key: claude_chevalley
- 27.8 SSH Login. The following users failed to authenticate with their public key: claude_chevalley, simone_weil
- 27.8 SSH Login. The following users failed to authenticate with their public key: nills, simone_weil
- 27.8 SSH Login. The following users failed to authenticate with their public key: nills, todd_k
- 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, claude_chevalley
- 25 SSH Login. The following users failed to authenticate with their public key: nills
- 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, nills
- 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo, claude_chevalley
- 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo
- 19.4 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, nills