researcx/sshd_config

## sshd_config
# Hardened sshd_config by Kei (https://kei.a52.io/)
# This config was made for personal use. If you're going to use it, edit it to your likings or be locked out forever.
# THIS MAY BECOME OUTDATED OR MAY END UP NOT BEING SECURE AT ALL, USE AT YOUR OWN RISK

# Summary:
#   Protocol 2 used by default.
#   Port 2244 used by default.
#   Only selected users in AllowUsers may log in.
#   Root can only log in using key authentication by default (change PermitRootLogin to yes if you want to allow root with passwords).
#   X11 Forwarding is disabled by default.
#   Empty passwords are not allowed.
#   CBC removed from ciphers and MACs.
#   DNS lookups are not done on user login (good for slow connections)

#   Password authentication is enabled.
#   Public key authentication is enabled.

#   RSA authentication is disabled.
#   Challenge-response authentication is disabled.
#   GSSAPI authentication is disabled.
#   Kerberos authentication is disabled.
#   Host based authentication is disabled.

# Generate a large RSA key and an Ed25519 key
#   cd /etc/ssh
#   rm ssh_host_*key*
#   ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
#   ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null

# Open /etc/ssh/moduli if exists, and delete lines where the 5th column is less than 2000.
#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
#   wc -l "${HOME}/moduli" # make sure there is something left
#   mv "${HOME}/moduli" /etc/ssh/moduli

# If it does not exist, create it:
#   ssh-keygen -G /etc/ssh/moduli.all -b 4096
#   ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
#   mv /etc/ssh/moduli.safe /etc/ssh/moduli
#   rm /etc/ssh/moduli.all

# Sources:
#   http://www.linuxmanpages.com/man5/sshd_config.5.php
#   https://stribika.github.io/2015/01/04/secure-secure-shell.html
#   http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html
#   http://www.reddit.com/r/linuxadmin/comments/14bo0g/hardening_sshd_config/

#Settings
Port 2244
Protocol 2
AddressFamily any
AllowUsers faggqt


# Host key for protocol version 1
#HostKey /etc/ssh/ssh_host_key

# Host keys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key


# Time out clients that don't respond to pings within a minute.
ClientAliveInterval 60

# Specifies whether login is used for interactive login sessions.
UseLogin no

# Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic.  May not work in all versions.
#UsePrivilegeSeperation yes

# Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login.
StrictModes yes

# Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
PermitUserEnvironment no


# The server disconnects after this time if the user has not successfully logged in.
LoginGraceTime 60 # 1 minute to log in

# Specifies whether root can log in using ssh.
PermitRootLogin no

# Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
IgnoreRhosts yes

# Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only.
RSAAuthentication no

# Specifies whether public key authentication is allowed. Note that this option applies to protocol version 2 only.
PubkeyAuthentication yes

# Specifies whether password authentication is allowed.
PasswordAuthentication yes

# Specifies whether challenge-response authentication is allowed.
ChallengeResponseAuthentication no

# Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.
GSSAPIAuthentication no

# Enables the Pluggable Authentication Module interface.
UsePAM yes

# Specifies whether sshd should print the date and time when the user last logged in.
PrintLastLog yes


# Specifies the file that contains the public keys that can be used for user authentication.
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysFile      /etc/ssh/authorized_keys/%u

# Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC.
KerberosAuthentication no

# Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (hostbased authentication).
HostbasedAuthentication no

# Specifies whether X11 forwarding is permitted.
X11Forwarding no

# Gives the facility code that is used when logging messages from sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
SyslogFacility AUTH

# Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
LogLevel INFO

# When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
PermitEmptyPasswords no

# Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
UseDNS no

# SFTP subsystem (if SFTP isn't working, change the path in the first line or uncomment the second)
#Subsystem       sftp    /usr/lib/ssh/sftp-server
Subsystem    sftp    internal-sftp
	# Hardened sshd_config by Kei (https://kei.a52.io/)
	# This config was made for personal use. If you're going to use it, edit it to your likings or be locked out forever.
	# THIS MAY BECOME OUTDATED OR MAY END UP NOT BEING SECURE AT ALL, USE AT YOUR OWN RISK

	# Summary:
	# Protocol 2 used by default.
	# Port 2244 used by default.
	# Only selected users in AllowUsers may log in.
	# Root can only log in using key authentication by default (change PermitRootLogin to yes if you want to allow root with passwords).
	# X11 Forwarding is disabled by default.
	# Empty passwords are not allowed.
	# CBC removed from ciphers and MACs.
	# DNS lookups are not done on user login (good for slow connections)

	# Password authentication is enabled.
	# Public key authentication is enabled.

	# RSA authentication is disabled.
	# Challenge-response authentication is disabled.
	# GSSAPI authentication is disabled.
	# Kerberos authentication is disabled.
	# Host based authentication is disabled.

	# Generate a large RSA key and an Ed25519 key
	# cd /etc/ssh
	# rm ssh_host_key
	# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
	# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N "" < /dev/null

	# Open /etc/ssh/moduli if exists, and delete lines where the 5th column is less than 2000.
	# awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
	# wc -l "${HOME}/moduli" # make sure there is something left
	# mv "${HOME}/moduli" /etc/ssh/moduli

	# If it does not exist, create it:
	# ssh-keygen -G /etc/ssh/moduli.all -b 4096
	# ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
	# mv /etc/ssh/moduli.safe /etc/ssh/moduli
	# rm /etc/ssh/moduli.all

	# Sources:
	# http://www.linuxmanpages.com/man5/sshd_config.5.php
	# https://stribika.github.io/2015/01/04/secure-secure-shell.html
	# http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html
	# http://www.reddit.com/r/linuxadmin/comments/14bo0g/hardening_sshd_config/

	#Settings
	Port 2244
	Protocol 2
	AddressFamily any
	AllowUsers faggqt


	# Host key for protocol version 1
	#HostKey /etc/ssh/ssh_host_key

	# Host keys for protocol version 2
	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_rsa_key


	# Time out clients that don't respond to pings within a minute.
	ClientAliveInterval 60

	# Specifies whether login is used for interactive login sessions.
	UseLogin no

	# Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. May not work in all versions.
	#UsePrivilegeSeperation yes

	# Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login.
	StrictModes yes

	# Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.
	PermitUserEnvironment no


	# The server disconnects after this time if the user has not successfully logged in.
	LoginGraceTime 60 # 1 minute to log in

	# Specifies whether root can log in using ssh.
	PermitRootLogin no

	# Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
	IgnoreRhosts yes

	# Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only.
	RSAAuthentication no

	# Specifies whether public key authentication is allowed. Note that this option applies to protocol version 2 only.
	PubkeyAuthentication yes

	# Specifies whether password authentication is allowed.
	PasswordAuthentication yes

	# Specifies whether challenge-response authentication is allowed.
	ChallengeResponseAuthentication no

	# Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only.
	GSSAPIAuthentication no

	# Enables the Pluggable Authentication Module interface.
	UsePAM yes

	# Specifies whether sshd should print the date and time when the user last logged in.
	PrintLastLog yes


	# Specifies the file that contains the public keys that can be used for user authentication.
	AuthorizedKeysFile .ssh/authorized_keys
	#AuthorizedKeysFile /etc/ssh/authorized_keys/%u

	# Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC.
	KerberosAuthentication no

	# Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (hostbased authentication).
	HostbasedAuthentication no

	# Specifies whether X11 forwarding is permitted.
	X11Forwarding no

	# Gives the facility code that is used when logging messages from sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7
	SyslogFacility AUTH

	# Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
	LogLevel INFO

	# When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.
	PermitEmptyPasswords no

	# Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
	UseDNS no

	# SFTP subsystem (if SFTP isn't working, change the path in the first line or uncomment the second)
	#Subsystem sftp /usr/lib/ssh/sftp-server
	Subsystem sftp internal-sftp