c6bb714873
hardened configuration from https://github.com/dev-sec/ansible-ssh-hardening/ and https://gitlab.com/nodiscc/ansible-xsrv-common/
172 lines
4.8 KiB
Plaintext
172 lines
4.8 KiB
Plaintext
# This is the ssh server system-wide configuration file.
|
|
# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen.
|
|
#
|
|
# Created for OpenSSH v5.9
|
|
|
|
# Basic configuration
|
|
# ===================
|
|
|
|
# Disable root login
|
|
PermitRootLogin no
|
|
|
|
# Define which port sshd should listen to.
|
|
Port 22
|
|
|
|
# Address family should always be limited to the active network configuration.
|
|
AddressFamily inet
|
|
|
|
# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone.
|
|
ListenAddress 0.0.0.0
|
|
|
|
# List HostKeys here.
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
# Security configuration
|
|
# ======================
|
|
|
|
# Set the protocol version to 2 for security reasons. Disables legacy support.
|
|
Protocol 2
|
|
|
|
# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration.
|
|
StrictModes yes
|
|
|
|
# Logging, obsoletes QuietMode and FascistLogging
|
|
SyslogFacility AUTH
|
|
LogLevel INFO
|
|
|
|
# Cryptography
|
|
# ------------
|
|
|
|
# **Ciphers**
|
|
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
|
|
|
|
# **Hash algorithms**
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
|
|
|
|
|
|
# **Key Exchange Algorithms**
|
|
KexAlgorithms diffie-hellman-group-exchange-sha256
|
|
|
|
# Authentication
|
|
# --------------
|
|
|
|
# Don't process environment variables passed by the client
|
|
PermitUserEnvironment no
|
|
LoginGraceTime 30s
|
|
# Only process the client's locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
# Specifies the maximum number of authentication attempts permitted per connection.
|
|
# Once the number of failures reaches half this value, additional failures are logged.
|
|
# Causes 'Too Many Authentication Failures' error when set to a low value and the user tries several keys.
|
|
MaxAuthTries 5
|
|
MaxSessions 10
|
|
MaxStartups 10:30:100
|
|
|
|
# Enable public key authentication
|
|
PubkeyAuthentication yes
|
|
|
|
# Reject keys that are explicitly blacklisted
|
|
RevokedKeys /etc/ssh/revoked_keys
|
|
|
|
# Never use host-based authentication. It can be exploited.
|
|
IgnoreRhosts yes
|
|
IgnoreUserKnownHosts yes
|
|
HostbasedAuthentication no
|
|
|
|
# Enable PAM to enforce system wide rules
|
|
UsePAM no
|
|
|
|
# Disable password-based authentication, it can allow for potentially easier brute-force attacks.
|
|
PasswordAuthentication no
|
|
PermitEmptyPasswords no
|
|
ChallengeResponseAuthentication no
|
|
|
|
# Only enable Kerberos authentication if it is configured.
|
|
KerberosAuthentication no
|
|
KerberosOrLocalPasswd no
|
|
KerberosTicketCleanup yes
|
|
#KerberosGetAFSToken no
|
|
|
|
# Only enable GSSAPI authentication if it is configured.
|
|
GSSAPIAuthentication no
|
|
GSSAPICleanupCredentials yes
|
|
|
|
# Network
|
|
# -------
|
|
|
|
# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel
|
|
TCPKeepAlive no
|
|
|
|
# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail.
|
|
ClientAliveInterval 600
|
|
ClientAliveCountMax 3
|
|
|
|
# Disable tunneling
|
|
PermitTunnel no
|
|
|
|
# Specifies whether TCP forwarding is permitted.
|
|
# Denying it provides no real advantage unless shell access is also denied
|
|
AllowTcpForwarding no
|
|
|
|
# Disable agent forwarding, since local agent could be accessed through forwarded connection.
|
|
# no real advantage without denied shell access
|
|
AllowAgentForwarding no
|
|
|
|
# Do not allow remote port forwardings to bind to non-loopback addresses.
|
|
GatewayPorts no
|
|
|
|
# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection.
|
|
X11Forwarding no
|
|
X11UseLocalhost yes
|
|
|
|
# Only allow login for users from ssh/sftponly groups
|
|
AllowGroups ssh sftponly
|
|
|
|
# Misc. configuration
|
|
# ===================
|
|
|
|
# Disable motd
|
|
PrintMotd no
|
|
|
|
# Disable printing last connections on login
|
|
PrintLastLog no
|
|
|
|
# file to send to the remote user before authentication
|
|
Banner none
|
|
|
|
#UseDNS yes
|
|
#PidFile /var/run/sshd.pid
|
|
#MaxStartups 10
|
|
|
|
# Enable compression
|
|
Compression yes
|
|
|
|
# Use reverse DNS lookups to validate authorized clients
|
|
# This allows using hostnames in auhtorized_keys instead of IP addresses
|
|
# The default is no
|
|
#UseDNS no
|
|
|
|
# print /etc/motd when a user logs in interactively
|
|
PrintMotd yes
|
|
|
|
# print the date and time of the last user login when a user logs in interactively
|
|
PrintLastLog yes
|
|
|
|
# SFTP configuration
|
|
Subsystem sftp internal-sftp -l {{ ssh_sftp_loglevel }} -f LOCAL6
|
|
|
|
# User/group-sepcific configuration
|
|
# These lines must appear at the *end* of sshd_config
|
|
#Match Group sftponly
|
|
# Restrict members of the 'sftponly' group to SFTP subsystem,
|
|
#ForceCommand internal-sftp -l INFO -f LOCAL6
|
|
# Chroot members of the 'sftponly' group to their home directory
|
|
#ChrootDirectory %h
|
|
#AllowTcpForwarding no
|
|
#AllowAgentForwarding no
|
|
#GatewayPorts no
|
|
#X11Forwarding no
|
|
|