Skip to content

Instantly share code, notes, and snippets.

Last active August 23, 2020 12:03
Show Gist options
  • Save Tristor/6d589939ee43e8956a94 to your computer and use it in GitHub Desktop.
Save Tristor/6d589939ee43e8956a94 to your computer and use it in GitHub Desktop.
Hardened SSH Server Config 03/2016
# TCP port to bind to
# Change to a high/odd port if this server is exposed to the internet directly
Port 22
# Bind to all interfaces (change to specific interface if needed)
# Force SSHv2 Protocol
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox
# Deny all other users besides the following
AllowUsers tristor
# Client timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0
# Compression (only after authentication)
Compression delayed
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication must happen within 30 seconds
LoginGraceTime 30
# Disable root SSH access
PermitRootLogin no
PermitEmptyPasswords no
# Check user folder permissions before allowing access
StrictModes yes
# Public key authentication + Password authentication
# Two-Factor Authentication in OpenSSH v6.2+
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password
# Change this depending on where your authorized_keys file is
# This is set as a workaround when using encrypted home directories
# Link:
#AuthorizedKeysFile /etc/ssh/keys/%u/authorized_keys
#These are the most secure of the available ciphers and MACs
# SHA-256 included for compat with PuTTY-WinCrypt clients
# Key Exchange algorithms (Elliptic Curve Diffie-Hellman)
# DH-SHA-256 included for compat with PuTTY-WinCrypt clients
# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Disable unused authentication schemes
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
# This may need to be enabled for things like Google Authenticator/YubiOTP
UsePAM no
# X11 support
X11Forwarding no
# Don’t show Message of the Day
PrintMotd no
# TCPKeepAlive (non-tunneled, disabled)
TCPKeepAlive no
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Copy link

Hey. Maybe you should add more tweaks ;)

PermitUserEnvironment no
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp internal-sftp -f AUTHPRIV -l INFO
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
UseDNS no
Compression no
AllowAgentForwarding no
MaxAuthTries 2
MaxSessions 2
MaxStartups 2
DebianBanner no
ChallengeResponseAuthentication no

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment