Meta DescriptionLearn how to harden SSH on RHEL/CentOS servers. Automate SSH security configuration with Ansible instead of manual sshd_config editing.
ContentSSH (Secure Shell) is how you access Linux servers. It’s also a common attack target.
If you’re still manually editing /etc/ssh/sshd_config on every server, you’re leaving room for mistakes. This guide covers SSH hardening and how to automate it.
Default SSH Is Not SecureOut of the box, RHEL/CentOS SSH has settings that make it vulnerable:
- Root login allowed – Attackers can try to brute-force root
- Password authentication – Weak passwords = compromised servers
- SSH on standard port 22 – Every script can find it
- Weak key exchange algorithms – Old cryptography
- Protocol version 1 (older systems) – Known vulnerabilities Critical SSH Hardening Controls
- Disable Root Login
PermitRootLogin noPrevents direct root SSH access. Use sudo instead.
- Require Key-Based Authentication
PubkeyAuthentication yes
PasswordAuthentication noOnly SSH keys work, not passwords. Passwords can be guessed.
- Disable Empty Passwords
PermitEmptyPasswords noPrevents accounts with no password from SSH’ing in.
- Set Strong Key Exchange
KexAlgorithms curve25519-sha256Uses modern, secure algorithms instead of weak ones.
- Set Strong Ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.comUses strong encryption algorithms.
- Set Strong MAC Algorithms
MACs hmac-sha2-512-etm@openssh.comStrong message authentication codes.
- Disable X11 Forwarding (if not needed)
X11Forwarding noReduces attack surface.
- Limit Login Attempts
MaxAuthTries 3
MaxSessions 5Prevents brute-force attacks.
- Set Client Alive Interval
ClientAliveInterval 300
ClientAliveCountMax 2Drops idle connections, prevents resource exhaustion.
- Use Strong Host Keys
HostKey /etc/ssh/ssh_host_ed25519_keyUses modern Ed25519 keys instead of older RSA.
Manual SSH Hardening = Error-ProneTo manually harden SSH on a single server:
- SSH into server
- Backup
/etc/ssh/sshd_config(just in case) - Edit
/etc/ssh/sshd_config - Find and modify 10+ settings
- Restart SSH service
- Test SSH still works
- Verify each setting was applied correctly
- Document what changed Time: 30-45 minutes per server
If you manage 20 servers, that’s 10+ hours of manual work.
And if you miss a setting? You’re not fully hardened.
Automated SSH HardeningAnsible playbooks automate this:
- Define hardening requirements once
- Deploy to any server (10 seconds per server)
- Consistent configuration everywhere
- Automatic verification
- Easy to update all servers at once
Instead of 30 minutes per server, hardening takes 60 seconds.
Example: Ansible SSH Hardening Task- name: Harden SSH Configuration
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
state: present
notify: restart sshOne task, applied to all servers consistently.
Getting Started with SSH HardeningIf you need to harden SSH across multiple RHEL/CentOS servers, automation is the way to go.
Our STIG baseline hardening playbooks include complete SSH hardening configured automatically.
→ Get STIG Baseline Hardening Playbooks – $199
Includes:
- Complete SSH hardening configuration
- All 10+ hardening controls automated
- Works on RHEL 8, 9, Rocky, AlmaLinux
- Full documentation
- Deploy in minutes, not hours For custom SSH policies or compliance verification, we offer consulting at $150-250/hour. Summary
SSH hardening is critical for server security. Manual configuration is slow and error-prone.
Automation advantages:
- Deploy hardening in 60 seconds per server
- Consistent across all infrastructure
- Easy to modify and scale
- Automatic verification
If you manage multiple RHEL servers, automate SSH hardening instead of doing it manually.
About The Author
