SSH (Secure Shell) has become the standard for securely accessing Linux systems remotely over unsecured networks. It creates an encrypted tunnel between devices that ensures all data transfer and communication is protected in transit.

Hardening and properly configuring your SSH daemon is critical for any internet-facing server, especially security-focused distributions like Kali Linux which often handle sensitive tools and data.

This comprehensive 2600+ word guide will cover everything you need to know to enable and secure SSH in Kali for resilient remote administrative access even in untrusted environments.

How SSH Encryption Works

Before jumping into configuration, it helps to understand exactly how SSH establishes secure connections under the hood.

SSH utilizes both asymmetric and symmetric encryption to verify devices and encrypt sessions. When a client first connects to a server, an asymmetric handshake with public key cryptography is used:

  1. The client obtains the server‘s public key and uses it to encrypt a single-use session key
  2. This key is transmitted to the server which decrypts it with its private key to obtain the unencrypted session key
  3. Further communications then utilize a fast symmetric cipher like AES-256 for encryption and decryption using this shared session key

This hybrid approach delivers considerable performance advantages. Symmetric ciphers are optimized for speed with encryption and decryption using the same key. The asymmetric handshake handles secure key exchange to facilitate the faster symmetric encryption channel.

By default, SSH utilizes RSA with a minimum 2048 bit key size for the asymmetric component. AES-256 or AES-128 is preferred for the faster symmetric cipher though 3DES and Blowfish are also optional.

Understanding Difference Between OpenSSH and OpenSSL

When securing SSH, you will encounter two common tools – OpenSSH and OpenSSL:

OpenSSH – Default implementation of the SSH protocol on most Linux distributions. Contains the sshd daemon, ssh client application, and associated utilities. Focused only on SSH without extras.

OpenSSL – General cryptographic library that can be used to implement SSH along with many other protocols. Supports extensive cryptographic capabilities beyond SSH. Used heavily by web servers and applications.

OpenSSH is tuned for SSH performance while OpenSSL is more universally supported. OpenSSL has suffered from more security issues historically while OpenSSH has a better track record.

Most Linux distributions today utilize OpenSSH installed from a common codebase. But awareness of the distinction helps understand documentation references and security release notes.

Now let‘s get SSH enabled and properly secured on your Kali system.

Step 1 – Install OpenSSH Server

As outlined in the initial example, first verify if OpenSSH is already installed and if not, add it:

# dpkg -s openssh-server   

# apt update && apt install openssh-server

Enable on boot and start the sshd service:

# systemctl enable ssh
# systemctl start ssh

Check status with systemctl status ssh to confirm the daemon is running before proceeding.

Step 2 – Configure Firewall Rules for SSH

With the base server installed, ensure SSH traffic is allowed if using a local firewall like ufw or iptables.

Common approaches include:

UFW:

# ufw allow OpenSSH
# ufw enable

IPTABLES: 

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Adjust other firewalls like nftables to permit inbound SSH connections as necessary depending on your environment.

Step 3 – Disable Root SSH Logins

As highlighted earlier, permitting direct SSH access to root is dangerous. Prevent this using: 

# vi /etc/ssh/sshd_config

PermitRootLogin no

Ensure valid unprivileged accounts exist like ‘kali‘ for remote access instead of root.

Step 4 – Set Up SSH Public Key Authentication

Expand on the public key authentication model covered previously using RSA or Ed25519 for the key pair:

# adduser kali  

$ ssh-keygen -t rsa -b 4096 -C "kali"

Securely copy the public key to the server and modify sshd to only permit key-based logins for this user.

While less convenient than passwords, public key authentication provides significantly improved security against brute force attacks.

Step 5 – Configure Additional Hardening Settings

Beyond the basics, consider implementing these additional hardening configurations by editing /etc/ssh/sshd_config:

  1. Specify secure ciphers and MACs in order of preference:

    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

  2. Restrict SSH protocols to only most secure versions:

    Protocol 2

  3. Limit max concurrent connections from single IP:

    MaxStartups 10

  4. Use Linux capabilities rather than sudo for privilege separation:

    UsePrivilegeSeparation sandbox

These represent a small sample of additional defenses possible. Tools like ssh-audit mentioned shortly can help harden configs.

Step 6 – Change the SSH Port

Alter the listening port for sshd to an unconventional alternative like 22222:

# vi /etc/ssh/sshd_config

Port 22222

Clients then connect specifying the non-standard port:

$ ssh -p 22222 kali@kali-ip

While this only marginally improves security, it can help limit bots that primarily target port 22.

Automating SSH Hardening with Bash

Many of these steps can be scripted for efficiency using Bash. For example:

#!/bin/bash

# Generate SSH public/private keypair for user
ssh-keygen -q -t rsa -b 4096 -N ‘‘ -f ~/.ssh/id_rsa

# Append public key to Kali authorized_keys
ssh-copy-id -i ~/.ssh/id_rsa.pub kali@kali-server

# Get sshd_config template  
curl -o sshd_config https://raw.githubusercontent.com/sysadmin-templates/templates/main/sshd_config

# Load template 
sudo mv sshd_config /etc/ssh/sshd_config

# Disable root login, enable public key auth
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/‘ /etc/ssh/sshd_config  
sed -i ‘s/#PubkeyAuthentication yes/PubkeyAuthentication yes/‘ /etc/ssh/sshd_config

# Restart SSH daemon to apply changes  
sudo systemctl restart sshd

This script generates keys, sets up public key copy, grabs a hardened sshd template, customizes it, and restarts the service in one batch operation.

Automation assists considerably in securely deploying SSH across multiple systems.

Leverage ssh-audit for Simplified Hardening

Manually hardening SSH configs can be tedious. The ssh-audit tool by Mozilla automatically analyzes settings and provides hardening recommendations:

# apt install ssh-audit

$ ssh-audit kali:22222

Run this both before and after modifications to determine improvements and catch any remaining issues.

Ssh-audit analyzes ciphers, key exchange methods, host keys, and configurations for optimal security best practices tailored to your version. Leverage its audits to simplify hardening.

Isolate Exploited Accounts via Chroot

If an SSH user account is somehow compromised in the future, considerable damage can still be limited by establishing chroot isolation: 

Match User kali 
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no

Here the ‘kali‘ account is restricted to its home directory, SFTP only, and has port forwarding disabled.

Use chroots to protect exploited accounts from becoming malicious footholds.

Implement SSH Intrusion Detection (IDS)

Combining preventative configurations with secondary intrusion detection systems enhances protection.

Fail2ban covered initially automatically bans IPs after excessive invalid SSH login attempts.

For more advanced analysis, tools like SSHGuard monitor unusual spike patterns that may indicate concentrated attacks against user credentials. Integrate with your existing IDS suite.

Proactive hardening combined with reactive monitoring delivers a robust SSH security posture capable of defending against a range of real-world attacks.

Compare SSH to Other Protocols

While SSH is the clear choice for securely managing Linux systems remotely today, other protocols exist with different capabilities:

Telnet – One of the original network terminal protocols predating SSH. Transmits all data including credentials in plaintext allowing easy interception. Never use this protocol to manage production servers.

Stunnel – Utility that can wrap insecure connections inside an encrypted SSL/TLS tunnel similar to SSH. Adds encryption capability to legacy apps. Significant runtime overhead however.

SFTP – Secure FTP variant that uses SSH for data transfer protection. More limited in scope but useful for isolated file operations.

The encrypted shell and remote access capabilities integrated into SSH itself keep it the ideal choice for administration, even compared to these alternatives with overlapping functionality.

Troubleshooting Issues

When modifying SSH configurations, it is possible to accidentally lock yourself out of the server:

  • If this occurs, try restoring previous configs from a Attached Storage device or KVM console
  • Check sshd logs at /var/log/auth.log for troubleshooting clues
  • Find and remove offending public keys causing access issues
  • Utilize a IPMI BMC to forcefully reset server power state

For account lockouts, passwords can be reset manually by administrators via:

$ passwd kali

Restore lost SSH keys from backups as needed. Revert binding changes to release ports and reestablish remote access with working credentials.

Care should be taken when experimenting with configuration to ensure you retain administrative access. Keep secure off-system backups of critical components like SSH keys in case recovery becomes necessary.

Conclusion

You now have a comprehensive blueprint for enabling and hardening SSH in Kali Linux for resilient encrypted remote access.

Core takeaways include:

  • Utilize public key authentication rather than simple passwords
  • Restrict which accounts can login, especially prohibiting root
  • Harden ciphers, protocols, and configurations using sshd_config
  • Enforce secondary protections like port changes and intrusion detection
  • Compartmentalize damage if credentials are compromised via chroots

Proceeding through these hardening steps methodically helps minimize your potential attack surface by removing unnecessary capability, limiting information leakage, accelerating key rotations, and containing breaches.

Monitor systems for signs of compromise even once hardened. Apply security patches promptly and refresh keys periodically.

Robustly securing SSH establishes a critical foundation for the sensitive tools Kali systems frequently provide access to. Implement these detailed measures to lock down remote administrative shell and transfer channels against modern threats.

Related posts:

  1. The Pen Tester‘s Guide: Hardening Your Privacy and Security with OpenVPN on Kali Linux
  2. A Complete Guide: How to Turn Off the Firewall in Kali Linux
  3. How to Connect to Wi-Fi on Kali Linux: An Expert‘s Complete 2800+ Word Guide
  4. Installing Nessus on Kali Linux for Robust Vulnerability Management
  5. Kali Linux vs Ubuntu: A Comprehensive 2600+ Word Guide
  6. Mastering Kali Linux Persistence for Portable Pen Testing
  7. Comprehensive Guide: Updating Kali Linux for Security & Stability
  8. Comprehensive Guide: Changing Kali Linux Passwords for Air-Tight System Security

Similar Posts