LordShedy/sshd_config.bash

## sshd_config.bash
### SSH DAEMON configuration by LordShedy ###

# allow client to pass locale environment variables
AcceptEnv LANG LC_*

# specifies which IP address family sshd should use
# it is possible to set for any (any), IPv4 only (inet) or IPv6 only (inet6)
AddressFamily inet

# is ssh-agent forwarding permitted
AllowAgentForwarding no

# specifies groups that are allowed to login
AllowGroups root sudo users

# is TCP forwarding permitted
AllowTcpForwarding no

# specifies authentication methods that must be successfully completed in order to grant access to a user
AuthenticationMethods publickey,password publickey,keyboard-interactive

# where the file with authorized keys (pubkeys) is located
AuthorizedKeysFile	%h/.ssh/authorized_keys

# a banner displayed for every connection, there should be for a legal reasons
# or if more security is desired, should be disabled (commented)
Banner /etc/issue.net

# Change to yes to enable challenge-response passwords (for example MFA)
ChallengeResponseAuthentication yes

# specification of ciphers allowed
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# the number of client alive messages which may be sent without sshd receiving any messages back from the client
# client alive messages are sent through the encrypted channel therefore no spoofable
# if not set to 0, the connection is kept for (ClientAliveInterval * ClientAliveCountMax) seconds
# if set to 0, the connection is kept for (ClientAliveInterval) seconds
ClientAliveCountMax 0

# timeout interval in seconds after which if no data has been received from the client,
# sshd will send a message through the encrypted channel to request a response from the client
ClientAliveInterval 3000

# compression of data being send
# compression may be allowed (yes) or disabled (no) or delayed (delayed - default)
Compression no

# security feature to prevent other remote hosts from connecting to forwarded ports
GatewayPorts no

# specifies a file containing a private host key used by SSH
# it is possible to have multiple host key files
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# allows hosts to authenticate on behalf of all or some of the system's users
# it is not rock solid authentication, better disabled
HostbasedAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files
# historically unsafe and it is suggested to disable it
IgnoreRhosts yes

# specifies the available key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org

# specifies the level of verbosity for logging messages from sshd
LogLevel VERBOSE

# amount of time for a user to authenticate
LoginGraceTime 60

# specifies the available message authentication code algorithms that are used for protecting data integrity
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

# maximum amount of tries of authentication
MaxAuthTries 1

# maximum amount of simultaneous connection within a session
# this means how many multiplexed connections there may be
# to disable multiplexing (multiple connections for a user) change to 1
MaxSessions 2

# start:rate:full. After the number of unauthenticated connections reaches the value specified by start,
# sshd will begin to refuse new connections at a percentage specified by rate.
# The proportional rate of refused connections then increases linearly as the limit
# specified by full is approached until 100% is reached.
# At that point all new attempts at connection are refused until the backlog goes down.
# 10: Number of unauthenticated connections before we start dropping
# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
# 100: Maximum number of connections at which we start dropping everything
MaxStartups 10:30:100

# is it possible to authenticate via password?
# disable this if authentication should be via PubkeyAuthentication
PasswordAuthentication no

# to enable empty passwords, not recommended
PermitEmptyPasswords no

# Specifies whether root can log in using SSH (yes, 'no', 'without-password', 'forced-commands-only')
# 'without-password' password authentication is disabled for root.
# 'forced-commands-only' root login with public key authentication will be allowed, but only if the command option has been specified (all other authentication methods are disabled for root)
# 'no' root is not allowed to log in.
PermitRootLogin no

# permit tunneling to server
PermitTunnel no

# allowing user to set environment options and potentially bypass some access restrictions
PermitUserEnvironment no

# running SSH on non-default port increases security
# but it requires changes within the router
Port 22

# Specifies whether sshd should print the	date and time of the last user login when a user logs in interactively
PrintLastLog yes

# specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively
PrintMotd no

# protocol 1 should be enabled only for legacy reasons (if specifically needed)
Protocol 2

# it is possible to authentiace via publickey
PubkeyAuthentication yes

# checks on important files inside users home directory have the proper privileges and ownership,
# SSH daemon will only allow a remote user to log on if checks pass
StrictModes yes

# set of remote commands predefined on the server machine so they can be executed conveniently
Subsystem	sftp	/usr/lib/openssh/sftp-server

# specifies the facility code used when logging messages from sshd
SyslogFacility AUTH

# whether the system should send TCP keepalive messages to the other side
# it is spoofable therefore better for this to be disabled
TCPKeepAlive no

# may be usefull, if client has reverse DNS but preferably this should be disabled
UseDNS no

# Pluggable Authentication Module = a powerful framework for managing authentication of users
# using PAM you can enforce rules during the authentication
# Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'
UsePAM yes

# specifies the lowest display number SSH may use
X11DisplayOffset 10

# specifies whether X11 forwarding (GUI) should be enabled or not on this server
X11Forwarding no
	### SSH DAEMON configuration by LordShedy ###

	# allow client to pass locale environment variables
	AcceptEnv LANG LC_*

	# specifies which IP address family sshd should use
	# it is possible to set for any (any), IPv4 only (inet) or IPv6 only (inet6)
	AddressFamily inet

	# is ssh-agent forwarding permitted
	AllowAgentForwarding no

	# specifies groups that are allowed to login
	AllowGroups root sudo users

	# is TCP forwarding permitted
	AllowTcpForwarding no

	# specifies authentication methods that must be successfully completed in order to grant access to a user
	AuthenticationMethods publickey,password publickey,keyboard-interactive

	# where the file with authorized keys (pubkeys) is located
	AuthorizedKeysFile %h/.ssh/authorized_keys

	# a banner displayed for every connection, there should be for a legal reasons
	# or if more security is desired, should be disabled (commented)
	Banner /etc/issue.net

	# Change to yes to enable challenge-response passwords (for example MFA)
	ChallengeResponseAuthentication yes

	# specification of ciphers allowed
	Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

	# the number of client alive messages which may be sent without sshd receiving any messages back from the client
	# client alive messages are sent through the encrypted channel therefore no spoofable
	# if not set to 0, the connection is kept for (ClientAliveInterval * ClientAliveCountMax) seconds
	# if set to 0, the connection is kept for (ClientAliveInterval) seconds
	ClientAliveCountMax 0

	# timeout interval in seconds after which if no data has been received from the client,
	# sshd will send a message through the encrypted channel to request a response from the client
	ClientAliveInterval 3000

	# compression of data being send
	# compression may be allowed (yes) or disabled (no) or delayed (delayed - default)
	Compression no

	# security feature to prevent other remote hosts from connecting to forwarded ports
	GatewayPorts no

	# specifies a file containing a private host key used by SSH
	# it is possible to have multiple host key files
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKey /etc/ssh/ssh_host_ed25519_key

	# allows hosts to authenticate on behalf of all or some of the system's users
	# it is not rock solid authentication, better disabled
	HostbasedAuthentication no

	# Don't read the user's ~/.rhosts and ~/.shosts files
	# historically unsafe and it is suggested to disable it
	IgnoreRhosts yes

	# specifies the available key exchange algorithms
	KexAlgorithms curve25519-sha256@libssh.org

	# specifies the level of verbosity for logging messages from sshd
	LogLevel VERBOSE

	# amount of time for a user to authenticate
	LoginGraceTime 60

	# specifies the available message authentication code algorithms that are used for protecting data integrity
	MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

	# maximum amount of tries of authentication
	MaxAuthTries 1

	# maximum amount of simultaneous connection within a session
	# this means how many multiplexed connections there may be
	# to disable multiplexing (multiple connections for a user) change to 1
	MaxSessions 2

	# start:rate:full. After the number of unauthenticated connections reaches the value specified by start,
	# sshd will begin to refuse new connections at a percentage specified by rate.
	# The proportional rate of refused connections then increases linearly as the limit
	# specified by full is approached until 100% is reached.
	# At that point all new attempts at connection are refused until the backlog goes down.
	# 10: Number of unauthenticated connections before we start dropping
	# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
	# 100: Maximum number of connections at which we start dropping everything
	MaxStartups 10:30:100

	# is it possible to authenticate via password?
	# disable this if authentication should be via PubkeyAuthentication
	PasswordAuthentication no

	# to enable empty passwords, not recommended
	PermitEmptyPasswords no

	# Specifies whether root can log in using SSH (yes, 'no', 'without-password', 'forced-commands-only')
	# 'without-password' password authentication is disabled for root.
	# 'forced-commands-only' root login with public key authentication will be allowed, but only if the command option has been specified (all other authentication methods are disabled for root)
	# 'no' root is not allowed to log in.
	PermitRootLogin no

	# permit tunneling to server
	PermitTunnel no

	# allowing user to set environment options and potentially bypass some access restrictions
	PermitUserEnvironment no

	# running SSH on non-default port increases security
	# but it requires changes within the router
	Port 22

	# Specifies whether sshd should print the date and time of the last user login when a user logs in interactively
	PrintLastLog yes

	# specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively
	PrintMotd no

	# protocol 1 should be enabled only for legacy reasons (if specifically needed)
	Protocol 2

	# it is possible to authentiace via publickey
	PubkeyAuthentication yes

	# checks on important files inside users home directory have the proper privileges and ownership,
	# SSH daemon will only allow a remote user to log on if checks pass
	StrictModes yes

	# set of remote commands predefined on the server machine so they can be executed conveniently
	Subsystem sftp /usr/lib/openssh/sftp-server

	# specifies the facility code used when logging messages from sshd
	SyslogFacility AUTH

	# whether the system should send TCP keepalive messages to the other side
	# it is spoofable therefore better for this to be disabled
	TCPKeepAlive no

	# may be usefull, if client has reverse DNS but preferably this should be disabled
	UseDNS no

	# Pluggable Authentication Module = a powerful framework for managing authentication of users
	# using PAM you can enforce rules during the authentication
	# Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'
	UsePAM yes

	# specifies the lowest display number SSH may use
	X11DisplayOffset 10

	# specifies whether X11 forwarding (GUI) should be enabled or not on this server
	X11Forwarding no