From c6bb7148732813677df6386b64cf27dafc73fafd Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 7 Mar 2020 13:48:41 +0100 Subject: [PATCH] and openssh server (sshd) configuration. hardened configuration from https://github.com/dev-sec/ansible-ssh-hardening/ and https://gitlab.com/nodiscc/ansible-xsrv-common/ --- config/includes.chroot/etc/ssh/sshd_config | 171 +++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 config/includes.chroot/etc/ssh/sshd_config diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config new file mode 100644 index 0000000..a691621 --- /dev/null +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -0,0 +1,171 @@ +# This is the ssh server system-wide configuration file. +# See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. +# +# Created for OpenSSH v5.9 + +# Basic configuration +# =================== + +# Disable root login +PermitRootLogin no + +# Define which port sshd should listen to. +Port 22 + +# Address family should always be limited to the active network configuration. +AddressFamily inet + +# Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone. +ListenAddress 0.0.0.0 + +# List HostKeys here. +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key + +# Security configuration +# ====================== + +# Set the protocol version to 2 for security reasons. Disables legacy support. +Protocol 2 + +# Make sure sshd checks file modes and ownership before accepting logins. This prevents accidental misconfiguration. +StrictModes yes + +# Logging, obsoletes QuietMode and FascistLogging +SyslogFacility AUTH +LogLevel INFO + +# Cryptography +# ------------ + +# **Ciphers** +Ciphers aes256-ctr,aes192-ctr,aes128-ctr + +# **Hash algorithms** +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 + + +# **Key Exchange Algorithms** +KexAlgorithms diffie-hellman-group-exchange-sha256 + +# Authentication +# -------------- + +# Don't process environment variables passed by the client +PermitUserEnvironment no +LoginGraceTime 30s +# Only process the client's locale environment variables +AcceptEnv LANG LC_* + +# Specifies the maximum number of authentication attempts permitted per connection. +# Once the number of failures reaches half this value, additional failures are logged. +# Causes 'Too Many Authentication Failures' error when set to a low value and the user tries several keys. +MaxAuthTries 5 +MaxSessions 10 +MaxStartups 10:30:100 + +# Enable public key authentication +PubkeyAuthentication yes + +# Reject keys that are explicitly blacklisted +RevokedKeys /etc/ssh/revoked_keys + +# Never use host-based authentication. It can be exploited. +IgnoreRhosts yes +IgnoreUserKnownHosts yes +HostbasedAuthentication no + +# Enable PAM to enforce system wide rules +UsePAM no + +# Disable password-based authentication, it can allow for potentially easier brute-force attacks. +PasswordAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no + +# Only enable Kerberos authentication if it is configured. +KerberosAuthentication no +KerberosOrLocalPasswd no +KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# Only enable GSSAPI authentication if it is configured. +GSSAPIAuthentication no +GSSAPICleanupCredentials yes + +# Network +# ------- + +# Disable TCP keep alive since it is spoofable. Use ClientAlive messages instead, they use the encrypted channel +TCPKeepAlive no + +# Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail. +ClientAliveInterval 600 +ClientAliveCountMax 3 + +# Disable tunneling +PermitTunnel no + +# Specifies whether TCP forwarding is permitted. +# Denying it provides no real advantage unless shell access is also denied +AllowTcpForwarding no + +# Disable agent forwarding, since local agent could be accessed through forwarded connection. +# no real advantage without denied shell access +AllowAgentForwarding no + +# Do not allow remote port forwardings to bind to non-loopback addresses. +GatewayPorts no + +# Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. +X11Forwarding no +X11UseLocalhost yes + +# Only allow login for users from ssh/sftponly groups +AllowGroups ssh sftponly + +# Misc. configuration +# =================== + +# Disable motd +PrintMotd no + +# Disable printing last connections on login +PrintLastLog no + +# file to send to the remote user before authentication +Banner none + +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 + +# Enable compression +Compression yes + +# Use reverse DNS lookups to validate authorized clients +# This allows using hostnames in auhtorized_keys instead of IP addresses +# The default is no +#UseDNS no + +# print /etc/motd when a user logs in interactively +PrintMotd yes + +# print the date and time of the last user login when a user logs in interactively +PrintLastLog yes + +# SFTP configuration +Subsystem sftp internal-sftp -l {{ ssh_sftp_loglevel }} -f LOCAL6 + +# User/group-sepcific configuration +# These lines must appear at the *end* of sshd_config +#Match Group sftponly +# Restrict members of the 'sftponly' group to SFTP subsystem, +#ForceCommand internal-sftp -l INFO -f LOCAL6 +# Chroot members of the 'sftponly' group to their home directory +#ChrootDirectory %h +#AllowTcpForwarding no +#AllowAgentForwarding no +#GatewayPorts no +#X11Forwarding no +