---
title: "SSH — Hardening & Configuration sécurisée"
domain: sysadmin
subdomain: linux
type: checklist
tags: [ssh, hardening, linux, sysadmin, securite]
difficulty: beginner
status: stable
updated: "Sat May 10 2025 00:00:00 GMT+0000 (Coordinated Universal Time)"
---
## Configuration /etc/ssh/sshd_config

```bash
# Backup avant modification
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# Editer la config
sudo nano /etc/ssh/sshd_config
```

```bash
# ============================================
# /etc/ssh/sshd_config — Configuration durcie
# ============================================

# Port non-standard (changer la valeur)
Port 2222

# Désactiver login root
PermitRootLogin no

# Authentification par clé uniquement
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

# Protocole et chiffrement
Protocol 2
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Limites de connexion
MaxAuthTries 3
MaxSessions 5
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2

# Restriction utilisateurs/groupes
AllowUsers {{USER}}
# AllowGroups sshusers

# Désactiver fonctionnalités inutiles
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
PermitEmptyPasswords no

# Bannière
Banner /etc/ssh/banner.txt

# Logging
LogLevel VERBOSE
SyslogFacility AUTH
```

## Génération de clés SSH

```bash vars=SERVER_IP,USER
# Générer paire de clés Ed25519 (recommandé)
ssh-keygen -t ed25519 -C "{{USER}}@{{SERVER_IP}}" -f ~/.ssh/id_ed25519

# Copier la clé sur le serveur
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 {{USER}}@{{SERVER_IP}}

# Test de connexion
ssh -i ~/.ssh/id_ed25519 -p 2222 {{USER}}@{{SERVER_IP}}

# Vérifier fingerprint du serveur (première connexion)
ssh-keyscan -p 2222 {{SERVER_IP}} | ssh-keygen -lf -
```

## Appliquer et tester

```bash
# Vérifier la config AVANT de recharger (évite le lockout !)
sudo sshd -t

# Recharger sans couper les sessions actives
sudo systemctl reload sshd

# Vérifier le statut
sudo systemctl status sshd
```

## Fail2ban — Protection brute force

```bash
# Installer fail2ban
sudo apt install fail2ban -y

# Config /etc/fail2ban/jail.local
sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime  = 3600
findtime = 600
maxretry = 5
backend  = systemd

[sshd]
enabled  = true
port     = 2222
logpath  = %(sshd_log)s
maxretry = 3
bantime  = 86400
EOF

sudo systemctl enable --now fail2ban
sudo fail2ban-client status sshd
```

<Checklist
  title="Checklist SSH Hardening"
  storageKey="ssh-hardening"
  items={[
    { id: "backup", label: "Backup sshd_config avant modification" },
    { id: "port", label: "Changer le port SSH (défaut: 22)" },
    { id: "root", label: "PermitRootLogin no", critical: true },
    { id: "password", label: "PasswordAuthentication no (clés uniquement)", critical: true },
    { id: "keys", label: "Clés Ed25519 générées et déployées" },
    { id: "test-before", label: "sshd -t pour vérifier avant reload" },
    { id: "session-open", label: "Garder session SSH active pendant les tests" },
    { id: "reload", label: "systemctl reload sshd" },
    { id: "fail2ban", label: "Fail2ban installé et configuré" },
    { id: "firewall", label: "Firewall mis à jour pour le nouveau port" },
    { id: "test-co", label: "Test connexion depuis autre terminal" }
  ]}
/>