As a continuation of the previous response, there’s actually quite a bit more that can be done as far as SSH, such as tuning:
.. beyond disabling password authentication and enforcing SSH Keys.
Generally what I recommend only enabling RSA and ED25519 Host Keys. By default, SSH will use all four keys – RSA, DSA, ED25119, and ECDSA. in
sshd_config, you’ll see:
I’d recommend stripping away the DSA and ECDSA keys unless you know you’ll need them. With the lines removed, we’d only have two
HostKey lines, like so:
Don’t restart SSH just yet.
You’d then want to regenerate the keys. In most cases, and I’m not 100% sure if this is the case with DigitalOcean (I’ve not asked), the same keys are used for every deployment since most cloud providers use the same image and don’t run a script to regenerate them. That means you could be using the same keys as another Droplet. Even if you’re not, I prefer to regenerate them on my own.
To regenerate, we can do something as simple as first removing the existing keys:
rm -v /etc/ssh/ssh_host_*
That’ll give you a verbose output and tell you what files were removed. We’re removing them all, and will regenerate them using:
ssh-keygen -q -N "" -C "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -q -N "" -C "" -o -a 20000 -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
sshd_config, it’s generally idea to specify MACs, Ciphers, and Kex algos. They aren’t set by default, but we can set them by adding:
We can also completely disable password authentication using both:
You can restart SSH now using
service ssh restart.
Beyond the above, I would recommend looking at Lynis – an auditing tool. Some things you won’t be able to modify with DigitalOcean – the same or many cloud providers. Others are recommendations, while some are what I would call requirements. It’s pretty detailed.