Last active
September 25, 2024 17:11
-
-
Save thcrt/60ff95bd57f57ef4fb550bb079e827ba to your computer and use it in GitHub Desktop.
Theo's sshd configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Theo's sshd configuration | |
| # Based on work by k4yt3x -- https://k4t.io/sshd | |
| # See also https://infosec.mozilla.org/guidelines/openssh | |
| # | |
| # Created 2020-10-05 | |
| # Updated 2024-09-25 | |
| # | |
| # Licensed under the GNU GPL v3 | |
| # https://www.gnu.org/licenses/gpl-3.0.txt | |
| ########## Binding ########## | |
| # use an unusual port to avoid bruteforcing | |
| # this may or may not be necessary, check auth.log | |
| Port 6182 | |
| ########## Features ########## | |
| # accept locale-related environment variables | |
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
| AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |
| AcceptEnv XMODIFIERS | |
| # disallow forwarding | |
| # note that any user with shell access can run their own forwarders | |
| AllowTcpForwarding no | |
| AllowStreamLocalForwarding no | |
| PermitTunnel no | |
| X11Forwarding no | |
| # block SSH agent forwarding | |
| # this may be changed if the risks are understood | |
| AllowAgentForwarding no | |
| ########## Authentication ########## | |
| # only allow pubkey authentication | |
| AuthenticationMethods publickey | |
| PubkeyAuthentication yes | |
| PasswordAuthentication no | |
| KbdInteractiveAuthentication no | |
| UsePAM no | |
| # limit retries to prevent bruteforcing | |
| MaxAuthTries 3 | |
| # don't allow empty passwords or root ssh | |
| PermitEmptyPasswords no | |
| PermitRootLogin no | |
| ########## Cryptography ########## | |
| # explicitly define cryptography algorithms to avoid the use of weak algorithms | |
| Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr | |
| HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 | |
| MACs [email protected],[email protected],[email protected] | |
| # short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256 | |
| # do this with: | |
| # awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli | |
| # see also https://infosec.mozilla.org/guidelines/openssh | |
| #KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256 | |
| KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 | |
| ########## Connection Preferences ########## | |
| # number of client alive messages sent without client responding | |
| ClientAliveCountMax 2 | |
| # send a keepalive message to the client when the session has been idle for 300 seconds | |
| # this prevents/detects connection timeouts | |
| ClientAliveInterval 300 | |
| # compression before encryption might cause security issues | |
| Compression no | |
| # prevent SSH trust relationships from allowing lateral movements | |
| IgnoreRhosts yes | |
| # log verbosely for addtional information | |
| #LogLevel VERBOSE | |
| # allow a maximum of two multiplexed sessions over a single TCP connection | |
| MaxSessions 2 | |
| # only use SSH protocol version 2 | |
| Protocol 2 | |
| # path to the sftp-server binary depends on your distribution | |
| #Subsystem sftp /usr/lib/openssh/sftp-server | |
| #Subsystem sftp /usr/libexec/openssh/sftp-server | |
| Subsystem sftp internal-sftp | |
| # let ClientAliveInterval handle keepalive | |
| TCPKeepAlive no | |
| # disable reverse DNS lookups | |
| UseDNS no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment