Last active
November 20, 2017 05:20
-
-
Save cig0/d769b26c5f8a79fbd2ff0e635ebe0846 to your computer and use it in GitHub Desktop.
SSH server hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################# | |
# # | |
# Hardening # | |
# # | |
################# | |
ChallengeResponseAuthentication no | |
### Temporarily enabled to check IPs of possibly attackers | |
PasswordAuthentication yes | |
### | |
IgnoreRhosts yes | |
MaxAuthTries 3 | |
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour256 | |
#MACs hmac-sha2-512-etm@openssh.com | |
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
#KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 | |
RekeyLimit 256M | |
#ServerKeyBits 2048 # Deprecated | |
ClientAliveCountMax 2 | |
LogLevel VERBOSE | |
MaxAuthTries 2 | |
MaxSessions 3 | |
PermitRootLogin no | |
UseDNS no | |
UsePrivilegeSeparation SANDBOX | |
Compression delayed | |
X11Forwarding no | |
AllowTcpForwarding no | |
GatewayPorts no | |
PermitTunnel no | |
TCPKeepAlive yes | |
#RSAAuthentication no # Deprecated | |
PermitEmptyPasswords no | |
GSSAPIAuthentication no | |
#PasswordAuthentication no | |
PasswordAuthentication no | |
KerberosAuthentication no | |
HostbasedAuthentication no | |
ChallengeResponseAuthentication no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment