philcryer · March 23, 2015 21:26
diff --git a/sshd_config b/sshd_config
 #### sshd_config (/etc/sshd/sshd_config)
 #### philcryer/secure-sshd
 #### 2015-03-23 / mit licensed
 #### after any changes, test with
 #### /usr/sbin/sshd -t -k sshd_config

 # Ports (move from default to protect against drivebys)
 Port 22122

 # ???
 #PermitOpen localhost:80
 #PidFile /var/run/sshd.pid

 # IPs (turn off ipv6, only listen on ipv4 if that's how you roll)
 #ListenAddress ::
 AddressFamily inet
 ListenAddress 0.0.0.0
 #ListenAddress 127.0.0.1

 # Protocols (only use 2, not 1)
 Protocol 2

 # Ciphers/MACs (as of Q4 2014)
 Ciphers aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1

 # HostKeys for protocol version 2
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key

 # Turn on privilege separation
 UsePrivilegeSeparation yes

 # Logging
 SyslogFacility AUTH
 #LogLevel INFO
 LogLevel VERBOSE

 # Authentication:
 #LoginGraceTime 120
 LoginGraceTime 50s

 #PermitRootLogin yes
 PermitRootLogin no

 # Prevent the use of insecure home directory and key file permissions
 StrictModes yes

 # Do you need port forwarding?
 AllowTcpForwarding no
 X11Forwarding no
 X11UseLocalhost no
 X11DisplayOffset 10
 GatewayPorts no

 # Authentication methods
 RSAAuthentication yes
 PubkeyAuthentication yes
 AuthorizedKeysFile  %h/.ssh/authorized_keys

 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes

 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no

 # similar for protocol version 2
 HostbasedAuthentication no

 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes

 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no

 # Change to yes to enable challenge-response passwords (some PAM modules and threads)
 ChallengeResponseAuthentication no

 # Disable tunnelled clear text passwords / Enforce the use of private keys for login
 PasswordAuthentication no

 # Turn on  reverse name checking
 VerifyReverseMapping yes

 # Compression (userful for dial-up)
 Compression no

 # Drop stale connections after 5 minutes
 ClientAliveInterval 300
 ClientAliveCountMax 0

 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes

 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes

 #X11Forwarding yes
 #X11DisplayOffset 10

 PrintMotd no
 PrintLastLog yes
 #TCPKeepAlive no
 TCPKeepAlive yes
 UseLogin no

 #MaxStartups 10:30:60
 #MaxStartups 10
 #Banner /etc/issue.net
 #Banner /etc/banner

 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*

 Subsystem sftp /usr/lib/openssh/sftp-server
 #Subsystem sftp /usr/libexec/sftp-server

 UseDNS no

 UsePAM yes

 MaxAuthTries 6

 # Only allow specific users/groups to connect
 #AllowUsers backupadm@10.10.10.3 johnny@192.168.* fred
 #AllowGroups admins

 # Lock abilities per user
 #Match User anonuser
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       ForceCommand git server
 # Disable login delays due to bad DNS configuration
 UseDNS no

 # Switch off direct access to root type accounts (UID 0)
 PermitRootLogin no

 # Switch off access to accounts without passwords
 PermitEmptyPasswords no

 # Enable rssh (the restricted SSH shell). Without that rssh could be circumvented
 PermitUserEnvironment yes



 # other ideas
 # enable 2FA via Google Authenticator (http://digitaljournal.sg/wp/?p=146)
 #
 # openssh faq - http://www.openssh.com/faq.html
	#### sshd_config (/etc/sshd/sshd_config)
	#### philcryer/secure-sshd
	#### 2015-03-23 / mit licensed
	#### after any changes, test with
	#### /usr/sbin/sshd -t -k sshd_config

	# Ports (move from default to protect against drivebys)
	Port 22122

	# ???
	#PermitOpen localhost:80
	#PidFile /var/run/sshd.pid

	# IPs (turn off ipv6, only listen on ipv4 if that's how you roll)
	#ListenAddress ::
	AddressFamily inet
	ListenAddress 0.0.0.0
	#ListenAddress 127.0.0.1

	# Protocols (only use 2, not 1)
	Protocol 2

	# Ciphers/MACs (as of Q4 2014)
	Ciphers aes256-ctr,aes192-ctr,aes128-ctr
	MACs hmac-sha2-512-96,hmac-sha2-512,hmac-sha2-256-96,hmac-sha2-256,hmac-sha1-96,hmac-sha1

	# HostKeys for protocol version 2
	#HostKey /etc/ssh/ssh_host_rsa_key
	#HostKey /etc/ssh/ssh_host_dsa_key

	# Turn on privilege separation
	UsePrivilegeSeparation yes

	# Logging
	SyslogFacility AUTH
	#LogLevel INFO
	LogLevel VERBOSE

	# Authentication:
	#LoginGraceTime 120
	LoginGraceTime 50s

	#PermitRootLogin yes
	PermitRootLogin no

	# Prevent the use of insecure home directory and key file permissions
	StrictModes yes

	# Do you need port forwarding?
	AllowTcpForwarding no
	X11Forwarding no
	X11UseLocalhost no
	X11DisplayOffset 10
	GatewayPorts no

	# Authentication methods
	RSAAuthentication yes
	PubkeyAuthentication yes
	AuthorizedKeysFile %h/.ssh/authorized_keys

	# Don't read the user's ~/.rhosts and ~/.shosts files
	IgnoreRhosts yes

	# For this to work you will also need host keys in /etc/ssh_known_hosts
	RhostsRSAAuthentication no

	# similar for protocol version 2
	HostbasedAuthentication no

	# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
	#IgnoreUserKnownHosts yes

	# To enable empty passwords, change to yes (NOT RECOMMENDED)
	PermitEmptyPasswords no

	# Change to yes to enable challenge-response passwords (some PAM modules and threads)
	ChallengeResponseAuthentication no

	# Disable tunnelled clear text passwords / Enforce the use of private keys for login
	PasswordAuthentication no

	# Turn on reverse name checking
	VerifyReverseMapping yes

	# Compression (userful for dial-up)
	Compression no

	# Drop stale connections after 5 minutes
	ClientAliveInterval 300
	ClientAliveCountMax 0

	# Kerberos options
	#KerberosAuthentication no
	#KerberosGetAFSToken no
	#KerberosOrLocalPasswd yes
	#KerberosTicketCleanup yes

	# GSSAPI options
	#GSSAPIAuthentication no
	#GSSAPICleanupCredentials yes

	#X11Forwarding yes
	#X11DisplayOffset 10

	PrintMotd no
	PrintLastLog yes
	#TCPKeepAlive no
	TCPKeepAlive yes
	UseLogin no

	#MaxStartups 10:30:60
	#MaxStartups 10
	#Banner /etc/issue.net
	#Banner /etc/banner

	# Allow client to pass locale environment variables
	AcceptEnv LANG LC_*

	Subsystem sftp /usr/lib/openssh/sftp-server
	#Subsystem sftp /usr/libexec/sftp-server

	UseDNS no

	UsePAM yes

	MaxAuthTries 6

	# Only allow specific users/groups to connect
	#AllowUsers backupadm@10.10.10.3 johnny@192.168.* fred
	#AllowGroups admins

	# Lock abilities per user
	#Match User anonuser
	# X11Forwarding no
	# AllowTcpForwarding no
	# ForceCommand git server
	# Disable login delays due to bad DNS configuration
	UseDNS no

	# Switch off direct access to root type accounts (UID 0)
	PermitRootLogin no

	# Switch off access to accounts without passwords
	PermitEmptyPasswords no

	# Enable rssh (the restricted SSH shell). Without that rssh could be circumvented
	PermitUserEnvironment yes



	# other ideas
	# enable 2FA via Google Authenticator (http://digitaljournal.sg/wp/?p=146)
	#
	# openssh faq - http://www.openssh.com/faq.html
No results found