summaryrefslogtreecommitdiff
path: root/sshd_config
diff options
context:
space:
mode:
Diffstat (limited to 'sshd_config')
-rw-r--r--sshd_config114
1 files changed, 114 insertions, 0 deletions
diff --git a/sshd_config b/sshd_config
new file mode 100644
index 0000000..4007640
--- /dev/null
+++ b/sshd_config
@@ -0,0 +1,114 @@
+# Modified from K4YT3X Hardened OpenSSH Configuration
+
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# disallow automatically setting environment variables through ~/.ssh/environment
+PermitUserEnvironment no
+# disallow ssh-agent forwarding to prevent lateral movement
+AllowAgentForwarding no
+
+AllowTcpForwarding yes
+AllowStreamLocalForwarding yes
+# overrides all other forwarding switches
+DisableForwarding yes
+
+# disallow remote hosts from connecting to forwarded ports
+# i.e. forwarded ports are forced to bind to 127.0.0.1 instead of 0.0.0.0
+GatewayPorts no
+
+# prevent tun device forwarding
+PermitTunnel no
+
+# suppress MOTD
+PrintMotd no
+
+# disable X11 forwarding since it is not necessary
+X11Forwarding no
+
+########## Authentication ##########
+
+AuthenticationMethods publickey
+PasswordAuthentication no
+UsePAM no
+
+# challenge-response authentication backend it not configured by default
+# therefore, it is set to "no" by default to avoid the use of an unconfigured backend
+ChallengeResponseAuthentication no
+
+# set maximum authentication retries to prevent brute force attacks
+MaxAuthTries 3
+
+# disallow connecting using empty passwords
+PermitEmptyPasswords no
+PermitRootLogin no
+PubkeyAuthentication yes
+
+########## Cryptography ##########
+
+# explicitly define cryptography algorithms to avoid the use of weak algorithms
+# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack
+# https://terrapin-attack.com/
+Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com
+HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+# only use host keys with secure HostKeyAlgorithms
+# omit the ECDSA key since it is only used in conjunction with the NIST P-curves
+HostKey /etc/ssh/ssh_host_ed25519_key
+#HostKey /etc/ssh/ssh_host_rsa_key
+
+# short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
+# see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli
+# AES-CTR and Chacha20-Poly1305 modes have been removed to mitigate the Terrapin attack
+# https://terrapin-attack.com/
+# ecdh-sha2-nistp* algorithms have been removed due to concerns around NIST P-curves' design
+# https://github.com/jtesta/ssh-audit/issues/213#issuecomment-1774204745
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
+
+########## Connection Preferences ##########
+
+# Debian-based distributions only
+# hide the Debian banner to prevent information disclosure
+# (e.g., `SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3`)
+#DebianBanner no
+
+# number of client alive messages sent without client responding
+ClientAliveCountMax 2
+
+# send a keepalive message to the client when the session has been idle for 300 seconds
+# this prevents/detects connection timeouts
+ClientAliveInterval 300
+
+# compression before encryption might cause security issues
+Compression no
+
+# prevent SSH trust relationships from allowing lateral movements
+IgnoreRhosts yes
+
+# log verbosely for additional information
+#LogLevel VERBOSE
+
+# allow a maximum of two multiplexed sessions over a single TCP connection
+MaxSessions 2
+
+# enforce SSH server to only use SSH protocol version 2
+# SSHv1 contains security issues and should be avoided at all costs
+# SSHv1 is disabled by default after OpenSSH 7.0, but this option is
+# specified anyways to ensure this configuration file's compatibility
+# with older versions of OpenSSH server
+Protocol 2
+
+# override default of no subsystems
+# path to the sftp-server binary depends on your distribution
+#Subsystem sftp /usr/lib/openssh/sftp-server
+#Subsystem sftp /usr/libexec/openssh/sftp-server
+Subsystem sftp internal-sftp
+
+# let ClientAliveInterval handle keepalive
+TCPKeepAlive no
+
+# disable reverse DNS lookups
+UseDNS no