]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - config/ssh/sshd_config
projects / people / pmueller / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
add hardened SSH server configuration
[people/pmueller/ipfire-2.x.git] / config / ssh / sshd_config
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
new file mode 100644 (file)
index 0000000..06329fb
--- /dev/null
+++ b/config/ssh/sshd_config
@@ -0,0 +1,81 @@
+# ultra-secure OpenSSH server configuration
+
+# only allow version 2 of SSH protocol
+Protocol 2
+
+# listen on port 22 by default
+Port 22
+
+# listen on these interfaces and protocols
+AddressFamily any
+ListenAddress 0.0.0.0
+
+# limit authentication thresholds
+LoginGraceTime 30s
+MaxAuthTries 3
+
+# limit maximum instanctes to prevent DoS
+MaxStartups 5
+
+# ensure proper logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# enforce permission checks before a login is accepted
+# (prevents damage because of hacked systems with world-writeable
+# home directories or similar)
+StrictModes yes
+
+# only allow safe crypto algorithms (may break some _very_ outdated clients)
+# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+# enable data compression after successful login only
+Compression delayed
+
+# only allow cryptographically safe SSH host keys (adjust paths if needed)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# only allow login via public key by default
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+# permit root login as there is no other user in IPFire 2.x
+PermitRootLogin yes
+
+# specify preferred authentication methods (public keys come first)
+AuthenticationMethods publickey,password
+
+# ignore user ~/.rhost* files
+IgnoreRhosts yes
+
+# ignore user known hosts file
+IgnoreUserKnownHosts yes
+
+# ignore user environments
+PermitUserEnvironment no
+
+# do not allow any kind of forwarding (provides only low security)
+# some of them might need to be re-enabled if SSH server is a jump platform
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+GatewayPorts no
+PermitOpen none
+
+# detect broken sessions by sending keep-alive messages to
+# clients (both via TCP and SSH)
+TCPKeepAlive yes
+ClientAliveInterval 10
+
+# close unresponsive SSH sessions which fail to answer keep-alive
+ClientAliveCountMax 6
+
+# EOF
Peter's tree of IPFire 2.x