Skip to content

Instantly share code, notes, and snippets.

@kawaiipantsu

kawaiipantsu/sshd_config

Last active June 24, 2023 10:10
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kawaiipantsu/b27d953de9793731b60b4636bad7a3dc to your computer and use it in GitHub Desktop.
Save kawaiipantsu/b27d953de9793731b60b4636bad7a3dc to your computer and use it in GitHub Desktop.
Download ZIP
This is a secure and harden SSH Daemon config file, this is not just any other "harden" config file out there, i have commented on everything and also locked down even on host level and users and groups etc but in a way that should function on most out of the box environment but still give a way better harden sshd_config experience.
Raw
sshd_config
#
# ____ ____ _ _ ____ by KawaiiPantsu
# / ___/ ___|| | | | | _ \ __ _ ___ _ __ ___ ___ _ __
# \___ \___ \| |_| | | | | |/ _` |/ _ \ '_ ` _ \ / _ \| '_ \
# ___) |__) | _ | | |_| | (_| | __/ | | | | | (_) | | | |
# |____/____/|_| |_| |____/ \__,_|\___|_| |_| |_|\___/|_| |_|
# |
# | Inperation have been taken from CIS18, NIST and just
# | common practices when it comes to harding sshd.
# |
# | Break the glass help: https://discord.gg/Xg2jMdvss9 :)
# .
## Network configuration
Port 22 # Default port
Protocol 2 # Make sure only SSH2 is allowed
AddressFamily inet # Only use IPv4
#AddressFamily inet6 # Only use IPv6
#AddressFamily any # Use both types
ListenAddress 0.0.0.0 # IPv4 address to listen on
#ListenAddress :: # IPv6 address to listen on (If you dont accept inet6 comment out)
Compression delayed # Enable compression after authentication
Banner /etc/ssh/sshd_public_banner.txt # Always keep an informative banner to warn about logging etc
UseDNS yes # Let's do DNS lookup (Also do a security check for reverse dns match!)
TCPKeepAlive yes # This is really annoying if you dont allow it ... (Also default)
## Ciphers / Encryption / Algorithms configuration
Ciphers aes256-ctr,aes192-ctr,aes128-ctr # |
MACs hmac-sha2-512,hmac-sha2-256 # |> THESE NEEDS TO BE KEPT UP 2 DATE (Ie. by NIST/CIS18/OTHER guidelines)
KexAlgorithms diffie-hellman-group-exchange-sha256 # |
## One of the big questions out there just like what is the anwser to life it self!
## And we can't get away with simply saying 42!
PermitRootLogin no # Allow root login? (Don't change, look furher down for surprise!)
## Authentication configuration
ChallengeResponseAuthentication no # Don't allow challenge authentication
PasswordAuthentication no # Don't allow password authentication
GSSAPIAuthentication no # Don't allow GSSAPI
KerberosAuthentication no # Don't allow Kerberos
KbdInteractiveAuthentication no # Don't allow interactive, also this will make problems with PAM
PermitEmptyPasswords no # Never accept anything empty
UsePAM no # Disable use of PAM (Can't lookup passwords etc)
PubkeyAuthentication yes # Enable public key authentication
LoginGraceTime 30s # You have 30sec to finush authentication or disconnect!
StrictModes yes # Always do posture check on file permissions
MaxAuthTries 3 # Get kicked after 3 failed attempts
MaxSessions 10 # Allow 10 sessions per connection (default)
PermitUserEnvironment no # Don't allow custom Environment to load
## Decide on authentication methods, normally keep it to just a public key
## You can make it really annoying, but also more secure...
AuthenticationMethods publickey # Only accept a public key
#AuthenticationMethods publickey,publickey # Require the use of 2 public keys, can't be the same!
## The following 3 lines can open up for password logins if you ever need it
#PasswordAuthentication yes # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD!
#UsePAM yes # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD!
#AuthenticationMethods password # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD!
## Allow specific users and groups
## This can really harden your setup, but also make it difficult to navigate larger infrastructures
## These rules below are ment for "basic" setup...
AllowGroups root # This could be commented out, but i like root users!
AllowGroups wheel # This could be commented out, but i like root users!
AllowGroups admin # Typical admin group name
AllowGroups ec2-admin # AWS: Amazon Linux images
AllowGroups ec2-user # AWS: Amazon Linux images
AllowGroups ec2 # AWS: Amazon Linux images
AllowGroups fedora # Cloud: Fedora images
AllowGroups centos # Cloud: CentOS images
AllowGroups ubuntu # Cloud: Ubuntu images
AllowGroups bitnami # Cloud: Bitnami images
AllowGroups pi # Rasberry PI
AllowGroups adm # Some common shared user groups
AllowGroups users # Some common shared user groups
AllowGroups sudo # Some common shared user groups
AllowGroups dialout # Some common shared user groups
AllowGroups ssh-users # Make this group and add users who explicit need ssh access etc?
## Now or the users, you should add some with remote ip's if needed.
## If not then these 3 lines accept all internal LAN traffic etc.
## Aslong as the group they are in is listed above!
## Allow any users from internal IP ranges
AllowUsers *@192.168.0.0/16 # Local IP CIDR
AllowUsers *@172.16.0.0/12 # Local IP CIDR
AllowUsers *@10.0.0.0/8 # Local IP CIDR
## Add your own gateway IP's VPN egress, devops egress IP addresses here
#AllowUsers *@80.160.100.100/32 # Example, Someones home IP address
## Uncomment to lock down etc
AllowUsers *@0.0.0.0/0 # ALLOW ALL, just so we dont break anything out of the box!
## Logging / Information configuration
PrintLastLog yes # That fancy info output - Yes show Last logon message
PrintMotd yes # That fancy info output - Yes show Message Of The Day (MOTD)
SyslogFacility AUTH # Syslog facility to use (Please keep it to AUTH for compatability)
#LogLevel WARN # Log level for production
LogLevel INFO # Log level with default setting
#LogLevel VERBOSE # Log level with lots of noise!
#LogLevel DEBUG # Log level when you want to debug problems!
## Locking down all those fancy features of SSH
## We don't want them in a production environment please!
PermitTunnel no # Don't allow Tunnel creation
AllowTcpForwarding no # Don't allow TCP forwarding
X11Forwarding no # Don't allow X11 forwarding
AllowAgentForwarding no # Don't allow SSH Agent forwarding
GatewayPorts no # Don't allow others to use tunnels
PermitTTY yes # Allow users to get a real TTY
AcceptEnv LANG LC_* # Allow users to manipulate LC language
Subsystem sftp /usr/lib/openssh/sftp-server # Needed for Ansible ...
## NOTE - MATCH MUST BE AT THE BOTTOM!!
## Special Match blocks to let your securty loose when they come from specific places
## This is super useful for devops/devsecops/vpn etc
## Special local network ip ranges settings
## (This basically allows root login from internal ip networks)
Match Address 10.0.0.0/8 # When they come from internal network
PermitRootLogin yes # - Allow root logins etc
PasswordAuthentication no # - Still no password accepted
PubkeyAuthentication yes # - Must use pub key
Match Address 172.16.0.0/12 # When they come from internal network
PermitRootLogin yes # - Allow root logins etc
PasswordAuthentication no # - Still no password accepted
PubkeyAuthentication yes # - Must use pub key
Match Address 192.168.0.0/16 # When they come from internal network
PermitRootLogin yes # - Allow root logins etc
PasswordAuthentication no # - Still no password accepted
PubkeyAuthentication yes # - Must use pub key
## Homeworking devops access etc? Or VPN ip
#Match Address 80.160.160.100/32 # Specific IP address (Can be private or public)
# PermitRootLogin no # - Don't allow root login, but
# UsePAM yes # - needed
# PasswordAuthentication no # - We both now accept password or
# PubkeyAuthentication yes # - Public key login
# AuthenticationMethods publickey # Accept a public key
# AuthenticationMethods password # Accept a password
Raw
sshd_public_banner.txt
STANDARD MANDATORY NOTICE AND CONSENT BANNER
You are accessing a remote system/server that is provided for authorized use
only. Use by unauthorized persons is prohibited. By using this remote system
or server (includes any device attached to it), you consent to the following:
* Routinely intercepts and monitors communications for purposes including,
but not limited to, pen-testing, SOC monitoring, network operations
and protection, personnel misconduct (PM), and forensic investigations.
* At any time, the owner may inspect and seize data stored on this
system or server.
* Communications using, or data stored on, this system or server are not
private, are subject to routine monitoring, interception, and search, and
may be disclosed or used for any owner authorized purpose.
* This system or server includes security measures to protect owners
interests--not for your personal benefit or privacy.
-
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment