From 344dd16cc457270140f8336e8260eef6b9e55e9c Mon Sep 17 00:00:00 2001 From: Coby Powers Date: Mon, 27 Feb 2023 04:21:58 +0000 Subject: [PATCH] More sshd hardening --- sshd/sshd_config | 85 +++++++++++++++--------------------------------- 1 file changed, 27 insertions(+), 58 deletions(-) diff --git a/sshd/sshd_config b/sshd/sshd_config index b37bb42..048022a 100644 --- a/sshd/sshd_config +++ b/sshd/sshd_config @@ -11,7 +11,7 @@ Include /etc/ssh/sshd_config.d/*.conf # / / -_) __/ |/|/ / _ \/ __/ '_// / _ \/ _ `/ #/_/|_/\__/\__/|__,__/\___/_/ /_/\_\/_/_//_/\_, / # /___/ -# + Port 69 #AddressFamily any #ListenAddress 0.0.0.0 @@ -22,7 +22,7 @@ Port 69 #/ /__/ // / _ \/ _ \/ -_) __(_-< > _/_ _/ / ,< / -_) // / / _ \/ _ `/ #\___/\_, / .__/_//_/\__/_/ /___/ |_____/ /_/|_|\__/\_, /_/_//_/\_, / # /___/_/ /___/ /___/ -# + Ciphers aes256-gcm@openssh.com,aes256-ctr KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 @@ -37,7 +37,7 @@ Protocol 2 # / /__/ _ \/ _ `/ _ `/ / _ \/ _ `/ #/____/\___/\_, /\_, /_/_//_/\_, / # /___//___/ /___/ -# + #SyslogFacility AUTH #LogLevel INFO @@ -45,47 +45,39 @@ Protocol 2 # / _ |__ __/ /_/ / ___ ___ / /_(_)______ _/ /_(_)__ ___ # / __ / // / __/ _ \/ -_) _ \/ __/ / __/ _ `/ __/ / _ \/ _ \ #/_/ |_\_,_/\__/_//_/\__/_//_/\__/_/\__/\_,_/\__/_/\___/_//_/ -# + AllowUsers coby AllowGroups coby #LoginGraceTime 2m PermitRootLogin no #StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 +MaxAuthTries 3 +MaxSessions 10 PubkeyAuthentication yes - -# Expect .ssh/authorized_keys2 to be disregarded by default in future. -#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) +#AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +#HostbasedAuthentication no + +#IgnoreUserKnownHosts no +#IgnoreRhosts yes + ChallengeResponseAuthentication no +UsePam yes + # __ __ __ # / //_/__ ____/ / ___ _______ ___ # / ,< / -_) __/ _ \/ -_) __/ _ \(_-< #/_/|_|\__/_/ /_.__/\__/_/ \___/___/ -# -#KerberosAuthentication no + +KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no @@ -94,30 +86,21 @@ ChallengeResponseAuthentication no # / ___/ __/ __/ _ | / _ \/ _/ #/ (_ /\ \_\ \/ __ |/ ___// / #\___/___/___/_/ |_/_/ /___/ -# -#GSSAPIAuthentication no + +GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes # ____ __ # / __/_ __/ /________ _ # / _/ \ \ / __/ __/ _ `/ #/___//_\_\\__/_/ \_,_/ -# -#AllowAgentForwarding yes -#AllowTcpForwarding yes + +AllowAgentForwarding no +AllowTcpForwarding no +PermitTunnel no GatewayPorts no X11Forwarding no #X11DisplayOffset 10 @@ -133,22 +116,8 @@ ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 -#PermitTunnel no #ChrootDirectory none #VersionAddendum none - -# No default banner path #Banner none - -# Allow client to pass locale environment variables AcceptEnv LANG LC_* - -# Override default of no subsystems -Subsystem sftp /usr/lib/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +Subsystem sftp /usr/lib/openssh/sftp-server \ No newline at end of file