How to Secure SSH by Enforcing Protocol 2 in sshd_config: Best Practices for Debian 11.3


2 views

When examining a fresh Debian 11.3 installation with OpenSSH server, you'll notice the sshd_config file doesn't explicitly specify a protocol version. According to the official documentation, the default value is '2,1', meaning the server will accept connections using either SSH-1 or SSH-2 protocol.

# Default behavior (when Protocol is not specified)
# Server accepts both SSH-1 and SSH-2 connections

SSH Protocol 1 has several critical vulnerabilities:

  • Weak CRC-32 integrity check that enables insertion attacks
  • No proper host key protection
  • Susceptible to man-in-the-middle attacks
  • Deprecated since 2006 in OpenSSH

To secure your SSH server, you should explicitly configure it to only accept Protocol 2 connections. Edit your /etc/ssh/sshd_config file:

# Explicitly set Protocol to version 2 only
Protocol 2

# Alternative syntax (same result)
# Protocol 2

After making changes, restart the SSH service:

sudo systemctl restart sshd

Check which protocols your server is actually accepting with this command:

ssh -v localhost 2>&1 | grep "Remote protocol version"

Or for remote testing:

nmap -sV --script ssh2-enum-algos -p 22 your-server-ip

While enforcing Protocol 2 is crucial, consider these additional measures:

# Disable root login
PermitRootLogin no

# Use key-based authentication
PasswordAuthentication no

# Restrict users
AllowUsers your_username

# Change default port
Port 2222

When examining a fresh Debian 11.3 installation, you'll notice the sshd_config file doesn't explicitly specify a protocol version. This might raise security concerns since SSH Protocol 1 is known to have vulnerabilities.

According to the official documentation:

# Default is '2,1' but modern distributions typically override this
Protocol 2,1

While the man page suggests the default includes Protocol 1, most modern Linux distributions (including Debian 11) actually ship with a modified default that only enables Protocol 2. You can verify this by checking:

sshd -T | grep "protocol"

Even though your distribution might have secure defaults, explicitly setting Protocol 2 provides several benefits:

  • Eliminates any ambiguity about protocol support
  • Prevents accidental Protocol 1 activation if defaults change
  • Makes your configuration self-documenting
  • Follows security best practices (defense in depth)

To ensure maximum security, add this line to your /etc/ssh/sshd_config:

# Only allow modern Protocol 2
Protocol 2

After making changes, remember to restart the SSH service:

sudo systemctl restart ssh

You can test your configuration using these methods:

# Check running configuration
sudo sshd -T | grep protocol

# Test connection with specific protocol version (requires OpenSSH client)
ssh -1 user@host  # Should fail
ssh -2 user@host  # Should succeed

While configuring Protocol 2, consider these additional security measures:

# Disable root login
PermitRootLogin no

# Use key-based authentication
PasswordAuthentication no

# Limit users who can SSH in
AllowUsers yourusername