Last active
June 24, 2023 10:10
-
-
Save kawaiipantsu/b27d953de9793731b60b4636bad7a3dc to your computer and use it in GitHub Desktop.
This is a secure and harden SSH Daemon config file, this is not just any other "harden" config file out there, i have commented on everything and also locked down even on host level and users and groups etc but in a way that should function on most out of the box environment but still give a way better harden sshd_config experience.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# ____ ____ _ _ ____ by KawaiiPantsu | |
# / ___/ ___|| | | | | _ \ __ _ ___ _ __ ___ ___ _ __ | |
# \___ \___ \| |_| | | | | |/ _` |/ _ \ '_ ` _ \ / _ \| '_ \ | |
# ___) |__) | _ | | |_| | (_| | __/ | | | | | (_) | | | | | |
# |____/____/|_| |_| |____/ \__,_|\___|_| |_| |_|\___/|_| |_| | |
# | | |
# | Inperation have been taken from CIS18, NIST and just | |
# | common practices when it comes to harding sshd. | |
# | | |
# | Break the glass help: https://discord.gg/Xg2jMdvss9 :) | |
# . | |
## Network configuration | |
Port 22 # Default port | |
Protocol 2 # Make sure only SSH2 is allowed | |
AddressFamily inet # Only use IPv4 | |
#AddressFamily inet6 # Only use IPv6 | |
#AddressFamily any # Use both types | |
ListenAddress 0.0.0.0 # IPv4 address to listen on | |
#ListenAddress :: # IPv6 address to listen on (If you dont accept inet6 comment out) | |
Compression delayed # Enable compression after authentication | |
Banner /etc/ssh/sshd_public_banner.txt # Always keep an informative banner to warn about logging etc | |
UseDNS yes # Let's do DNS lookup (Also do a security check for reverse dns match!) | |
TCPKeepAlive yes # This is really annoying if you dont allow it ... (Also default) | |
## Ciphers / Encryption / Algorithms configuration | |
Ciphers aes256-ctr,aes192-ctr,aes128-ctr # | | |
MACs hmac-sha2-512,hmac-sha2-256 # |> THESE NEEDS TO BE KEPT UP 2 DATE (Ie. by NIST/CIS18/OTHER guidelines) | |
KexAlgorithms diffie-hellman-group-exchange-sha256 # | | |
## One of the big questions out there just like what is the anwser to life it self! | |
## And we can't get away with simply saying 42! | |
PermitRootLogin no # Allow root login? (Don't change, look furher down for surprise!) | |
## Authentication configuration | |
ChallengeResponseAuthentication no # Don't allow challenge authentication | |
PasswordAuthentication no # Don't allow password authentication | |
GSSAPIAuthentication no # Don't allow GSSAPI | |
KerberosAuthentication no # Don't allow Kerberos | |
KbdInteractiveAuthentication no # Don't allow interactive, also this will make problems with PAM | |
PermitEmptyPasswords no # Never accept anything empty | |
UsePAM no # Disable use of PAM (Can't lookup passwords etc) | |
PubkeyAuthentication yes # Enable public key authentication | |
LoginGraceTime 30s # You have 30sec to finush authentication or disconnect! | |
StrictModes yes # Always do posture check on file permissions | |
MaxAuthTries 3 # Get kicked after 3 failed attempts | |
MaxSessions 10 # Allow 10 sessions per connection (default) | |
PermitUserEnvironment no # Don't allow custom Environment to load | |
## Decide on authentication methods, normally keep it to just a public key | |
## You can make it really annoying, but also more secure... | |
AuthenticationMethods publickey # Only accept a public key | |
#AuthenticationMethods publickey,publickey # Require the use of 2 public keys, can't be the same! | |
## The following 3 lines can open up for password logins if you ever need it | |
#PasswordAuthentication yes # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD! | |
#UsePAM yes # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD! | |
#AuthenticationMethods password # ONLY UNCOMMENT THESE LINES IF YOU NEED IN WITH PASSWORD! | |
## Allow specific users and groups | |
## This can really harden your setup, but also make it difficult to navigate larger infrastructures | |
## These rules below are ment for "basic" setup... | |
AllowGroups root # This could be commented out, but i like root users! | |
AllowGroups wheel # This could be commented out, but i like root users! | |
AllowGroups admin # Typical admin group name | |
AllowGroups ec2-admin # AWS: Amazon Linux images | |
AllowGroups ec2-user # AWS: Amazon Linux images | |
AllowGroups ec2 # AWS: Amazon Linux images | |
AllowGroups fedora # Cloud: Fedora images | |
AllowGroups centos # Cloud: CentOS images | |
AllowGroups ubuntu # Cloud: Ubuntu images | |
AllowGroups bitnami # Cloud: Bitnami images | |
AllowGroups pi # Rasberry PI | |
AllowGroups adm # Some common shared user groups | |
AllowGroups users # Some common shared user groups | |
AllowGroups sudo # Some common shared user groups | |
AllowGroups dialout # Some common shared user groups | |
AllowGroups ssh-users # Make this group and add users who explicit need ssh access etc? | |
## Now or the users, you should add some with remote ip's if needed. | |
## If not then these 3 lines accept all internal LAN traffic etc. | |
## Aslong as the group they are in is listed above! | |
## Allow any users from internal IP ranges | |
AllowUsers *@192.168.0.0/16 # Local IP CIDR | |
AllowUsers *@172.16.0.0/12 # Local IP CIDR | |
AllowUsers *@10.0.0.0/8 # Local IP CIDR | |
## Add your own gateway IP's VPN egress, devops egress IP addresses here | |
#AllowUsers *@80.160.100.100/32 # Example, Someones home IP address | |
## Uncomment to lock down etc | |
AllowUsers *@0.0.0.0/0 # ALLOW ALL, just so we dont break anything out of the box! | |
## Logging / Information configuration | |
PrintLastLog yes # That fancy info output - Yes show Last logon message | |
PrintMotd yes # That fancy info output - Yes show Message Of The Day (MOTD) | |
SyslogFacility AUTH # Syslog facility to use (Please keep it to AUTH for compatability) | |
#LogLevel WARN # Log level for production | |
LogLevel INFO # Log level with default setting | |
#LogLevel VERBOSE # Log level with lots of noise! | |
#LogLevel DEBUG # Log level when you want to debug problems! | |
## Locking down all those fancy features of SSH | |
## We don't want them in a production environment please! | |
PermitTunnel no # Don't allow Tunnel creation | |
AllowTcpForwarding no # Don't allow TCP forwarding | |
X11Forwarding no # Don't allow X11 forwarding | |
AllowAgentForwarding no # Don't allow SSH Agent forwarding | |
GatewayPorts no # Don't allow others to use tunnels | |
PermitTTY yes # Allow users to get a real TTY | |
AcceptEnv LANG LC_* # Allow users to manipulate LC language | |
Subsystem sftp /usr/lib/openssh/sftp-server # Needed for Ansible ... | |
## NOTE - MATCH MUST BE AT THE BOTTOM!! | |
## Special Match blocks to let your securty loose when they come from specific places | |
## This is super useful for devops/devsecops/vpn etc | |
## Special local network ip ranges settings | |
## (This basically allows root login from internal ip networks) | |
Match Address 10.0.0.0/8 # When they come from internal network | |
PermitRootLogin yes # - Allow root logins etc | |
PasswordAuthentication no # - Still no password accepted | |
PubkeyAuthentication yes # - Must use pub key | |
Match Address 172.16.0.0/12 # When they come from internal network | |
PermitRootLogin yes # - Allow root logins etc | |
PasswordAuthentication no # - Still no password accepted | |
PubkeyAuthentication yes # - Must use pub key | |
Match Address 192.168.0.0/16 # When they come from internal network | |
PermitRootLogin yes # - Allow root logins etc | |
PasswordAuthentication no # - Still no password accepted | |
PubkeyAuthentication yes # - Must use pub key | |
## Homeworking devops access etc? Or VPN ip | |
#Match Address 80.160.160.100/32 # Specific IP address (Can be private or public) | |
# PermitRootLogin no # - Don't allow root login, but | |
# UsePAM yes # - needed | |
# PasswordAuthentication no # - We both now accept password or | |
# PubkeyAuthentication yes # - Public key login | |
# AuthenticationMethods publickey # Accept a public key | |
# AuthenticationMethods password # Accept a password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment