Last active
May 13, 2023 12:06
-
-
Save cisano-arelia/c4feac72648f0a5ca6b66bf0d226afda to your computer and use it in GitHub Desktop.
Hardened SSHD_CONFIG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name: K4YT3X Hardened OpenSSH Configuration | |
| # Author: K4YT3X | |
| # Date Created: October 5, 2020 | |
| # Last Updated: November 20, 2020 | |
| # Licensed under the GNU General Public License Version 3 (GNU GPL v3), | |
| # available at: https://www.gnu.org/licenses/gpl-3.0.txt | |
| # (C) 2020 K4YT3X | |
| # SSH server listening address and port | |
| Port 22 | |
| #ListenAddress 0.0.0.0 | |
| #ListenAddress :: | |
| # only listen to IPv4 | |
| #AddressFamily inet | |
| # only listen to IPv6 | |
| #AddressFamily inet6 | |
| # accept locale-related environment variables | |
| AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | |
| AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | |
| AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | |
| AcceptEnv XMODIFIERS | |
| # disallow ssh-agent forwarding to prevent lateral movement | |
| AllowAgentForwarding no | |
| # prevent TCP ports from being forwarded over SSH tunnels | |
| AllowTcpForwarding no | |
| # prevent StreamLocal (Unix-domain socket) forwarding | |
| AllowStreamLocalForwarding no | |
| # disables all forwarding features | |
| DisableForwarding yes | |
| # disallow remote hosts from connecting to forwarded ports | |
| GatewayPorts no | |
| # prevent tun device forwarding | |
| PermitTunnel no | |
| # suppress MOTD | |
| PrintMotd no | |
| # disable X11 forwarding since it is not necessary | |
| X11Forwarding no | |
| ########## Authentication ########## | |
| AuthenticationMethods publickey | |
| PasswordAuthentication no | |
| UsePAM no | |
| # challenge-response authentication backend it not configured by default | |
| # therefore, it is set to "no" by default to avoid the use of an unconfigured backend | |
| ChallengeResponseAuthentication no | |
| # set maximum authenticaion retries to prevent brute force attacks | |
| MaxAuthTries 3 | |
| # disallow connecting using empty passwords | |
| PermitEmptyPasswords no | |
| # prevent root from being logged in via SSH | |
| PermitRootLogin no | |
| # enable pubkey authentication | |
| PubkeyAuthentication yes | |
| ########## Cryptography ########## | |
| # explicitly define cryptography algorithms to avoid the use of weak algorithms | |
| Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr | |
| HostKeyAlgorithms ssh-ed25519 | |
| MACs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected] | |
| # short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256 | |
| # see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli | |
| #KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256 | |
| KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 | |
| ########## Connection Preferences ########## | |
| # number of client alive messages sent without client responding | |
| ClientAliveCountMax 2 | |
| # send a keepalive message to the client when the session has been idle for 300 seconds | |
| # this prevents/detects connection timeouts | |
| ClientAliveInterval 300 | |
| # compression before encryption might cause security issues | |
| Compression no | |
| # prevent SSH trust relationships from allowing lateral movements | |
| IgnoreRhosts yes | |
| # log verbosely for addtional information | |
| #LogLevel VERBOSE | |
| # allow a maximum of two multiplexed sessions over a single TCP connection | |
| MaxSessions 2 | |
| # enforce SSH server to only use SSH protocol version 2 | |
| # SSHv1 contains security issues and should be avoided at all costs | |
| # SSHv1 is disabled by default after OpenSSH 7.0, but this option is | |
| # specified anyways to ensure this configuration file's compatibility | |
| # with older versions of OpenSSH server | |
| Protocol 2 | |
| # override default of no subsystems | |
| # path to the sftp-server binary depends on your distribution | |
| #Subsystem sftp /usr/lib/openssh/sftp-server | |
| #Subsystem sftp /usr/libexec/openssh/sftp-server | |
| Subsystem sftp internal-sftp | |
| # let ClientAliveInterval handle keepalive | |
| TCPKeepAlive no | |
| # disable reverse DNS lookups | |
| UseDNS no | |
| TrustedUserCAKeys /etc/ssh/ca.pub | |
| HostKey /etc/ssh/ssh_host_ed25519_key | |
| HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub | |
| AllowGroups ssh-users |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment