Last active
January 12, 2021 20:13
-
-
Save gfrancesco/4525709 to your computer and use it in GitHub Desktop.
SSH server conf for gentoo web server. Apply to other distros too. Be sure to understand all options before using.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # user modified sshd_config | |
| #### Networking options #### | |
| # Listen on a non-standard port > 1024 | |
| #Port 50000 | |
| # Restrict to IPv4. inet = IPv4, inet6 = IPv6, any = both | |
| AddressFamily inet | |
| # Listen only on the internal network address | |
| #ListenAddress 192.168.1.0 | |
| # Only use protocol version 2 | |
| Protocol 2 | |
| # Disable XForwarding unless you need it | |
| X11Forwarding no | |
| # Disable TCPKeepAlive and use ClientAliveInterval instead to prevent TCP Spoofing attacks | |
| TCPKeepAlive no | |
| ClientAliveInterval 600 | |
| ClientAliveCountMax 3 | |
| #### Networking options #### | |
| #### Key Configuration #### | |
| # HostKeys for protocol version 2 | |
| #HostKey /etc/ssh/ssh_host_rsa_key | |
| #HostKey /etc/ssh/ssh_host_dsa_key | |
| #Privilege Separation is turned on for security | |
| UsePrivilegeSeparation yes | |
| # Use public key authentication | |
| PubkeyAuthentication yes | |
| AuthorizedKeysFile %h/.ssh/authorized_keys | |
| #### Key Configuration #### | |
| #### Authentication #### | |
| # Whitelist allowed users | |
| AllowUsers user1 user2 | |
| # one minute to enter your key passphrase | |
| LoginGraceTime 60 | |
| # No root login | |
| PermitRootLogin no | |
| # Force permissions checks on keyfiles and directories | |
| StrictModes yes | |
| # Don't read the user's ~/.rhosts and ~/.shosts files | |
| IgnoreRhosts yes | |
| # similar for protocol version 2 | |
| HostbasedAuthentication no | |
| # Don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication | |
| IgnoreUserKnownHosts yes | |
| # To enable empty passwords, change to yes (NOT RECOMMENDED) | |
| PermitEmptyPasswords no | |
| # Disable challenge and response auth. Unessisary when using keys | |
| ChallengeResponseAuthentication no | |
| # Disable the use of passwords completly, only use public/private keys | |
| PasswordAuthentication no | |
| # Using keys, no need for PAM. Also allows SSHD to be run as a non-root user | |
| UsePAM no | |
| # Don't use login(1) | |
| UseLogin no | |
| #### Authentication #### | |
| #### Misc #### | |
| # Logging | |
| SyslogFacility AUTH | |
| LogLevel INFO | |
| # Print the last time the user logged in | |
| PrintLastLog yes | |
| MaxAuthTries 2 | |
| MaxStartups 10:30:60 | |
| # Display login banner | |
| #Banner /etc/issue.net | |
| # Allow client to pass locale environment variables | |
| AcceptEnv LANG LC_* | |
| Subsystem sftp internal-sftp | |
| #### Misc #### | |
| Match Group sftponly | |
| ChrootDirectory %h/www/ | |
| AllowTcpForwarding no | |
| X11Forwarding no | |
| ForceCommand internal-sftp -u 0002 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment