Last active
November 9, 2023 22:09
-
-
Save thcrt/60ff95bd57f57ef4fb550bb079e827ba to your computer and use it in GitHub Desktop.
Theo's sshd configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Theo's sshd configuration | |
| # Based on work by k4yt3x -- https://k4t.io/sshd | |
| # See also https://infosec.mozilla.org/guidelines/openssh | |
| # | |
| # Created 2020-10-05 | |
| # Updated 2023-09-24 | |
| # | |
| # Licensed under the GNU GPL v3 | |
| # https://www.gnu.org/licenses/gpl-3.0.txt | |
| ########## Binding ########## | |
| # use an unusual port to avoid bruteforcing | |
| # this may or may not be necessary, check auth.log | |
| Port 6182 | |
| ########## Features ########## | |
| # accept locale-related environment variables | |
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
| AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |
| AcceptEnv XMODIFIERS | |
| # disallow forwarding | |
| # note that any user with shell access can run their own forwarders | |
| AllowTcpForwarding no | |
| AllowStreamLocalForwarding no | |
| PermitTunnel no | |
| X11Forwarding no | |
| # uncomment to block ssh-agent forwarding | |
| # enabled by default to simplify deployment | |
| #AllowAgentForwarding no | |
| ########## Authentication ########## | |
| # uncomment to permit only the specified users/groups | |
| AllowGroups remote | |
| # only allow pubkey authentication | |
| AuthenticationMethods publickey | |
| PubkeyAuthentication yes | |
| PasswordAuthentication no | |
| KbdInteractiveAuthentication no | |
| UsePAM no | |
| # limit retries to prevent bruteforcing | |
| MaxAuthTries 3 | |
| # disallow empty passwords | |
| PermitEmptyPasswords no | |
| # disallow root ssh | |
| PermitRootLogin no | |
| ########## Cryptography ########## | |
| # explicitly define cryptography algorithms to avoid the use of weak algorithms | |
| Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
| HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 | |
| MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com | |
| # short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256 | |
| # do this with: | |
| # awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli | |
| # see also https://infosec.mozilla.org/guidelines/openssh | |
| #KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256 | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 | |
| ########## Connection Preferences ########## | |
| # number of client alive messages sent without client responding | |
| ClientAliveCountMax 2 | |
| # send a keepalive message to the client when the session has been idle for 300 seconds | |
| # this prevents/detects connection timeouts | |
| ClientAliveInterval 300 | |
| # compression before encryption might cause security issues | |
| Compression no | |
| # prevent SSH trust relationships from allowing lateral movements | |
| IgnoreRhosts yes | |
| # log verbosely for addtional information | |
| #LogLevel VERBOSE | |
| # allow a maximum of two multiplexed sessions over a single TCP connection | |
| MaxSessions 2 | |
| # only use SSH protocol version 2 | |
| Protocol 2 | |
| # path to the sftp-server binary depends on your distribution | |
| #Subsystem sftp /usr/lib/openssh/sftp-server | |
| #Subsystem sftp /usr/libexec/openssh/sftp-server | |
| Subsystem sftp internal-sftp | |
| # let ClientAliveInterval handle keepalive | |
| TCPKeepAlive no | |
| # disable reverse DNS lookups | |
| UseDNS no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment