Last active
November 1, 2018 13:16
-
-
Save fullyint/15a7eb72916a4f9384a5c7afe52549a1 to your computer and use it in GitHub Desktop.
ssh-hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| port 22 | |
| -addressfamily any | |
| +addressfamily inet | |
| batchmode no | |
| canonicalizefallbacklocal yes | |
| canonicalizehostname false | |
| challengeresponseauthentication yes | |
| checkhostip yes | |
| -compression no | |
| +compression yes | |
| controlmaster false | |
| enablesshkeysign no | |
| exitonforwardfailure no | |
| forwardagent no | |
| forwardx11 no | |
| forwardx11trusted yes | |
| gatewayports no | |
| -gssapiauthentication yes | |
| +gssapiauthentication no | |
| gssapidelegatecredentials no | |
| -hashknownhosts yes | |
| +hashknownhosts no | |
| hostbasedauthentication no | |
| identitiesonly no | |
| kbdinteractiveauthentication yes | |
| nohostauthenticationforlocalhost no | |
| -passwordauthentication yes | |
| +passwordauthentication no | |
| permitlocalcommand no | |
| protocol 2 | |
| proxyusefdpass no | |
| forwardx11timeout 1200 | |
| numberofpasswordprompts 3 | |
| serveralivecountmax 3 | |
| serveraliveinterval 0 | |
| -ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc | |
| -hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-ce | |
| +ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| +hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa | |
| hostbasedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-ce | |
| -kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellm | |
| +kexalgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
| loglevel INFO | |
| -macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hma | |
| +macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | |
| pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-r | |
| xauthlocation /usr/bin/xauth | |
| identityfile ~/.ssh/id_ed25519 | |
| identityfile ~/.ssh/id_rsa | |
| canonicaldomains | |
| globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 | |
| userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 | |
| -sendenv LANG | |
| -sendenv LC_* | |
| connecttimeout none | |
| tunneldevice any:any | |
| controlpersist no |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| port 22 | |
| protocol 2 | |
| -addressfamily any | |
| +addressfamily inet | |
| listenaddress 0.0.0.0:22 | |
| usepam yes | |
| -serverkeybits 768 | |
| -logingracetime 120 | |
| +serverkeybits 1024 | |
| +logingracetime 30 | |
| keyregenerationinterval 3600 | |
| x11displayoffset 10 | |
| maxauthtries 6 | |
| maxsessions 10 | |
| -clientaliveinterval 0 | |
| +clientaliveinterval 600 | |
| clientalivecountmax 3 | |
| streamlocalbindmask 0177 | |
| -permitrootlogin yes | |
| +permitrootlogin without-password | |
| ignorerhosts yes | |
| -ignoreuserknownhosts no | |
| +ignoreuserknownhosts yes | |
| rhostsrsaauthentication no | |
| hostbasedauthentication no | |
| hostbasedusesnamefrompacketonly no | |
| rsaauthentication yes | |
| pubkeyauthentication yes | |
| kerberosauthentication no | |
| -kerberosorlocalpasswd yes | |
| +kerberosorlocalpasswd no | |
| kerberosticketcleanup yes | |
| gssapiauthentication no | |
| gssapikeyexchange no | |
| passwordauthentication no | |
| kbdinteractiveauthentication no | |
| challengeresponseauthentication no | |
| printmotd no | |
| -printlastlog yes | |
| -x11forwarding yes | |
| +printlastlog no | |
| +x11forwarding no | |
| x11uselocalhost yes | |
| permittty yes | |
| permituserrc yes | |
| strictmodes yes | |
| -tcpkeepalive yes | |
| +tcpkeepalive no | |
| permitemptypasswords no | |
| permituserenvironment no | |
| uselogin no | |
| compression delayed | |
| gatewayports no | |
| usedns no | |
| -allowtcpforwarding yes | |
| +allowtcpforwarding no | |
| allowagentforwarding yes | |
| allowstreamlocalforwarding yes | |
| -useprivilegeseparation yes | |
| +useprivilegeseparation sandbox | |
| fingerprinthash SHA256 | |
| pidfile /var/run/sshd.pid | |
| xauthlocation /usr/bin/xauth | |
| -ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com | |
| -macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hma | |
| +ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| +macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 | |
| versionaddendum none | |
| -kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 | |
| +kexalgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
| hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ss | |
| hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-ce | |
| pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-r | |
| -loglevel INFO | |
| +loglevel VERBOSE | |
| syslogfacility AUTH | |
| -authorizedkeysfile %h/.ssh/authorized_keys | |
| +authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2 | |
| +hostkey /etc/ssh/ssh_host_ed25519_key | |
| hostkey /etc/ssh/ssh_host_rsa_key | |
| -hostkey /etc/ssh/ssh_host_dsa_key | |
| -hostkey /etc/ssh/ssh_host_ecdsa_key | |
| -acceptenv LANG | |
| -acceptenv LC_* | |
| -subsystem sftp /usr/lib/openssh/sftp-server | |
| +subsystem sftp internal-sftp -l INFO -f LOCAL6 | |
| maxstartups 10:30:100 | |
| permittunnel no | |
| ipqos lowdelay throughput |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment