]>
Commit | Line | Data |
---|---|---|
38485efa PM |
1 | # ultra-secure OpenSSH server configuration |
2 | ||
3 | # only allow version 2 of SSH protocol | |
4 | Protocol 2 | |
5 | ||
6 | # listen on port 22 by default | |
7 | Port 22 | |
8 | ||
9 | # listen on these interfaces and protocols | |
10 | AddressFamily any | |
11 | ListenAddress 0.0.0.0 | |
12 | ||
13 | # limit authentication thresholds | |
14 | LoginGraceTime 30s | |
0a5823db | 15 | MaxAuthTries 6 |
38485efa PM |
16 | |
17 | # limit maximum instanctes to prevent DoS | |
18 | MaxStartups 5 | |
19 | ||
20 | # ensure proper logging | |
21 | SyslogFacility AUTH | |
22 | LogLevel INFO | |
23 | ||
24 | # enforce permission checks before a login is accepted | |
25 | # (prevents damage because of hacked systems with world-writeable | |
26 | # home directories or similar) | |
27 | StrictModes yes | |
28 | ||
29 | # only allow safe crypto algorithms (may break some _very_ outdated clients) | |
30 | # see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html | |
31 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 | |
32 | Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr | |
33 | MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com | |
34 | ||
35 | # enable data compression after successful login only | |
36 | Compression delayed | |
37 | ||
38 | # only allow cryptographically safe SSH host keys (adjust paths if needed) | |
39 | HostKey /etc/ssh/ssh_host_ed25519_key | |
40 | HostKey /etc/ssh/ssh_host_ecdsa_key | |
41 | HostKey /etc/ssh/ssh_host_rsa_key | |
42 | ||
43 | # only allow login via public key by default | |
44 | PubkeyAuthentication yes | |
45 | PasswordAuthentication no | |
46 | ChallengeResponseAuthentication no | |
47 | PermitEmptyPasswords no | |
48 | ||
49 | # permit root login as there is no other user in IPFire 2.x | |
50 | PermitRootLogin yes | |
51 | ||
38485efa PM |
52 | # ignore user ~/.rhost* files |
53 | IgnoreRhosts yes | |
54 | ||
55 | # ignore user known hosts file | |
56 | IgnoreUserKnownHosts yes | |
57 | ||
58 | # ignore user environments | |
59 | PermitUserEnvironment no | |
60 | ||
61 | # do not allow any kind of forwarding (provides only low security) | |
62 | # some of them might need to be re-enabled if SSH server is a jump platform | |
63 | X11Forwarding no | |
64 | AllowTcpForwarding no | |
65 | AllowAgentForwarding no | |
66 | PermitTunnel no | |
67 | GatewayPorts no | |
68 | PermitOpen none | |
69 | ||
70 | # detect broken sessions by sending keep-alive messages to | |
71 | # clients (both via TCP and SSH) | |
72 | TCPKeepAlive yes | |
73 | ClientAliveInterval 10 | |
74 | ||
75 | # close unresponsive SSH sessions which fail to answer keep-alive | |
76 | ClientAliveCountMax 6 | |
77 | ||
1223078c PM |
78 | # add support for SFTP |
79 | Subsystem sftp /usr/lib/openssh/sftp-server | |
80 | ||
38485efa | 81 | # EOF |