Configure SSH for Enhanced Security
Ensure the SSH service is secure by limiting access, disabling root login, and enforcing strict authentication measures.
Plain language
Securing SSH (Secure Shell) is important because it is like a secret entrance into your computer systems. If it's left open or not properly guarded, someone could sneak in and cause harm, such as stealing sensitive information or damaging your systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The SSH daemon is configured to: - only listen on the required interfaces (ListenAddress xxx.xxx.xxx.xxx) - have a suitable login banner (Banner x) - have a login authentication timeout of no more than 60 seconds (LoginGraceTime 60) - disable host-based authentication (HostbasedAuthentication no) - disable rhosts-based authentication (IgnoreRhosts yes) - disable the ability to login directly as root (PermitRootLogin no) - disable empty passwords (PermitEmptyPasswords no) - disable connection forwarding (AllowTCPForwarding no) - disable gateway ports (GatewayPorts no) - disable X11 forwarding (X11Forwarding no).
Why it matters
If sshd is not hardened (e.g., root login, forwarding or X11 enabled), attackers can gain unauthorised access, pivot internally and exfiltrate data.
Operational notes
Periodically review sshd_config and validate: ListenAddress set, Banner configured, LoginGraceTime <= 60, and root, empty passwords, forwarding and X11 are disabled.
Implementation tips
- The IT team should make sure that SSH only listens on the necessary network addresses. They can do this by specifying the correct server address in the SSH configuration file, which limits which networks can connect to it.
- IT administrators should create a clear and informative login banner. This can be done by adding a welcoming message in the SSH settings that reminds users about security responsibilities, making sure it displays before login attempts.
- System administrators should set a time limit for login attempts to prevent long-standing open connections. They can achieve this by configuring a timeout of no more than 60 seconds in the SSH settings, encouraging quick and secure logins.
- The IT team needs to disable direct root login to enhance security. This involves changing the SSH configuration to prevent users from logging in as the root user directly, encouraging individual user accountability.
- IT administrators should turn off unnecessary features like host-based authentication and empty password logins. This can be done in the SSH settings by setting specific options to 'no', thereby reducing the risk of unauthorized access.
Audit / evidence tips
-
Askthe current SSH configuration file
Goodshows specific IP addresses rather than allowing all connections
-
Goodincludes a clear message shown before login that discourages unauthorized use
-
Askevidence of the login timeout setting. Look in the configuration file for 'LoginGraceTime' set to 60 seconds or less
Goodis a confirmation that prevents long, unattended login attempts
-
Goodmeans root cannot be directly accessed, reducing critical access risks
-
Askproof that unnecessary authentication methods are disabled. Check for 'HostbasedAuthentication' and 'PermitEmptyPasswords' both set to 'no' in the settings
Goodreduces security vulnerabilities by showing these features are off
Cross-framework mappings
How ISM-0484 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.5 | ISM-0484 outlines SSH daemon settings to secure authentication and remote sessions, specifying measures like LoginGraceTime and disabling... | |
| Annex A 8.9 | ISM-0484 requires specific secure configuration settings for the SSH daemon, such as interface binding and authentication timeouts | |
| handshake Supports (1) expand_less | ||
| Annex A 5.15 | ISM-0484 ensures secure remote access behaviour for SSH by disabling insecure options like direct root login and empty passwords | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires network devices and the services used to manage them to be secured to prevent unauthorised access and protect infor... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.