Forem

Cover image for SSH Hardening Made Easy with OpenSCAP
Richard Chamberlain
Richard Chamberlain

Posted on • Edited on

SSH Hardening Made Easy with OpenSCAP

Why is SSH Important?

SSH is a critical technology, with over 80% of Linux servers relying on it for secure remote access. Without SSH, managing remote servers or virtual machines would be significantly more challenging. A secure connection is fundamental for administering systems safely, which makes securing your SSH setup a high priority. But how do you go about doing that effectively?

Table of Contents

  1. Why is SSH Important?
  2. Introducing OpenSCAP
  3. Installing and Running OpenSCAP
  4. Using the Report
  5. The Power of OpenSCAP
  6. Beyond Automation: Understanding Why
  7. Conclusion ## Introducing OpenSCAP

In my quest to secure SSH, I’ve explored numerous resources, from YouTube tutorials to online articles listing the “top 10 steps” for SSH hardening. However, while researching security tools, I discovered OpenSCAP—a powerful solution that stands out not only as an auditing and remediation tool but also as a learning resource. OpenSCAP doesn’t just automate fixes; it helps you understand the how and why behind the recommendations. Although OpenSCAP's capabilities extend well beyond SSH security, that’s the focus of this article. Let’s dive into how it works.

Installing and Running OpenSCAP

One of the great things about OpenSCAP is how easy it is to install, especially on Red Hat Enterprise Linux (RHEL) or Oracle Linux, as it’s included in their repositories. You can install it with a simple command:

sudo dnf -y install openscap openscap-scanner scap-security-guide
Enter fullscreen mode Exit fullscreen mode

OpenSCAP offers several security profiles to evaluate your system. I chose the pci-dss profile, an industry standard for e-commerce platforms, to assess and harden SSH on my server. Running OpenSCAP with this profile is straightforward:

For RHEL:

sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    --report pci-dss-report.html \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Enter fullscreen mode Exit fullscreen mode

For Oracle Linux 9:

sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    --report pci-dss-report.html \
    /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
Enter fullscreen mode Exit fullscreen mode

The tool generates various report formats, but I find the HTML report (--report pci-dss-report.html) particularly user-friendly for analysis.

Using the Report

After generating the report, transfer it to your local machine and open it in a web browser. The first section of the report, "Compliance and Scoring," provides a summary of your system's compliance status. For example, a basic Oracle Linux 9 installation will show baseline results that highlight potential vulnerabilities.
Report Breakdown

Scrolling further down, you’ll find a detailed section dedicated to SSH security recommendations. Each item outlines specific concerns, such as disabling root login via SSH. This level of insight empowers you to identify the issues and plan your next steps for remediation.
SSH Suggestion

The Power of OpenSCAP

OpenSCAP goes beyond pointing out issues—it provides solutions. The tool can generate a remediation script tailored to your selected profile. Here’s how you can create one:

sudo oscap xccdf \
    generate fix \
    --profile xccdf_org.ssgproject.content_profile_pci-dss \
    /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > remediation-script.sh
Enter fullscreen mode Exit fullscreen mode

This command produces a script named remediation-script.sh. While comprehensive, I recommend reviewing the script carefully before executing it to ensure it doesn’t conflict with your server's existing configuration or policies.

One of my favorite features of OpenSCAP is its integrated documentation. The generated reports include links to detailed guidance for each issue. For instance, clicking on "Disable SSH Root Login" opens a resource explaining not only what to change but why. This fosters a deeper understanding, which is invaluable when implementing security policies.
Remediation and Why

Beyond Automation: Understanding Why

While it’s tempting to rely entirely on automated tools, securing a server requires a thoughtful approach. Overly restrictive policies can disrupt critical applications or workflows. OpenSCAP’s detailed reports allow you to not only fix vulnerabilities but also understand their implications.

This understanding is particularly valuable when:

  • Discussing changes with business stakeholders to justify security improvements.
  • Expanding your technical knowledge to address similar concerns across different technologies.
  • Demonstrating your expertise during job interviews or professional discussions.

Ultimately, saying "I saw this on a YouTube video" doesn’t carry the same weight as a well-informed explanation backed by industry standards and a clear understanding of security principles.

Conclusion

OpenSCAP has become one of my go-to tools for SSH hardening and general security auditing. Its combination of automation, insight, and educational value makes it a standout resource. Whether you’re managing enterprise systems or tinkering with Linux as a hobby, OpenSCAP provides a structured way to enhance your security practices while deepening your technical knowledge.

What other tools have you used that combine functionality with learning opportunities? Share your recommendations—I’d love to explore them!

Disclaimer: I wasn’t contacted or sponsored by OpenSCAP to write this article. It’s simply a tool I find immensely useful and believe others will too.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay