From 0e6b8eb8107b9e5f993b7e94df848d3ad28a2de2 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Mon, 28 Feb 2022 20:41:57 +0100 Subject: [PATCH] change sshd_config --- ssh/etc/ssh/sshd_config | 73 +++++++++++++++++++++++++++-------------- 1 file changed, 49 insertions(+), 24 deletions(-) diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config index 842db0f..accd785 100644 --- a/ssh/etc/ssh/sshd_config +++ b/ssh/etc/ssh/sshd_config @@ -1,27 +1,52 @@ -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key +Protocol 2 # Protocol 1 is fundamentally broken +StrictModes yes # Protects from misconfiguration -SyslogFacility AUTHPRIV +#ListenAddress [ip-here] # Listening address +Port 22 # Listening port. Normal 22 -AllowGroups sshlogin - -PermitRootLogin WITHOUT-PASSWORD -PubkeyAuthentication yes +AuthenticationMethods publickey # Only public key authentication allowed AuthorizedKeysFile .ssh/authorized_keys -IgnoreRhosts yes -MaxSessions 4 -MaxAuthTries 4 -ClientAliveCountMax 2 -LogLevel VERBOSE -PasswordAuthentication no -ChallengeResponseAuthentication no -GSSAPIAuthentication no -UsePAM yes -PrintMotd no -X11Forwarding no -AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -AcceptEnv XMODIFIERS -Subsystem sftp /usr/lib/openssh/sftp-server +PubkeyAuthentication yes # Allow public key authentication +HostKey /etc/ssh/ssh_host_ed25519_key # Only allow ECDSA pubic key authentication +HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 # Host keys the client should accepts +KexAlgorithms curve25519-sha256 # Specifies the available KEX (Key Exchange) algorithms +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com # Specifies the ciphers allowed +MACs hmac-sha2-512-etm@openssh.com # Specifies the available MAC alg. + +#Only allow incoming ECDSA and ed25519 sessions: +HostbasedAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 +PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,ssh-ed25519 +#CASignatureAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 + +PermitRootLogin WITHOUT-PASSWORD # Enable/disable root login +#AllowUsers [username] # Authorized SSH users are inside the admin group +MaxAuthTries 5 # Maximum allowed authentication attempts +MaxSessions 2 # Maximum allowed sessions by the user + +PasswordAuthentication no # No username password authentication +PermitEmptyPasswords no # No empty password authentcation allowed +IgnoreRhosts yes # Dont read users rhost files +HostbasedAuthentication no # Disable host-based authentication +ChallengeResponseAuthentication no # Unused authentication scheme +X11Forwarding no # Disable X11 forwarding + +LogLevel VERBOSE # Fingerprint details of failed login attempts +SyslogFacility AUTH # Logging authentication and authorization related commands +UseDNS no # Client from a location without proper DNS generate a warning in the logs + +PermitTunnel no # Only SSH connection and nothing else +AllowTcpForwarding no # Disablow tunneling out via SSH +AllowStreamLocalForwarding no # Disablow tunneling out via SSH +GatewayPorts no # Disablow tunneling out via SSH +AllowAgentForwarding no # Do not allow agent forwarding + +#Banner /etc/issue.net # Show legal login banner +PrintLastLog yes # Show last login + +ClientAliveInterval 900 # Client timeout (15 minutes) +ClientAliveCountMax 0 # This way enforces timeouts on the server side +LoginGraceTime 30 # Authenticatin must happen within 30 seconds +MaxStartups 2 # Max concurrent SSH sessions +TCPKeepAlive yes # Do not use TCP keep-alive + +AcceptEnv LANG LC_* # Allow client to pass locale environment variables