CME-901

SSH Hardening (Comprehensive)

Harden Network High Confidence

Description

Comprehensive SSH hardening: disable root login, enforce Protocol 2, restrict ciphers to AEAD (chacha20/aes-gcm), disable X11/agent forwarding, set MaxAuthTries, enable LoginGraceTime.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) N H Root login disabled; strong auth required
Attack Complexity (AC) L H Weak ciphers unavailable; forwarding attacks blocked

CWE Relationships

CWE-287 CWE-250

Verification

Audit sshd configuration

$ sshd -T | grep -E 'permitrootlogin|maxauthtries|x11forwarding'
# Expected: permitrootlogin no
Platform: linux

References

  • CIS RHEL 9 Benchmark — 5.2 Configure SSH Server
← CME-806: Kerberos Authentication (GSSAPI) CME-902: Disable Unused Network Services →