config/ssh/sshd_config

   1 # ultra-secure OpenSSH server configuration
   2
   3 # only allow version 2 of SSH protocol
   4 Protocol 2
   5
   6 # listen on port 22 by default
   7 Port 22
   8
   9 # listen on these interfaces and protocols
  10 AddressFamily any
  11 ListenAddress 0.0.0.0
  12
  13 # limit authentication thresholds
  14 LoginGraceTime 30s
  15 MaxAuthTries 6
  16
  17 # limit maximum instanctes to prevent DoS
  18 MaxStartups 5
  19
  20 # ensure proper logging
  21 SyslogFacility AUTH
  22 LogLevel INFO
  23
  24 # enforce permission checks before a login is accepted
  25 # (prevents damage because of hacked systems with world-writeable
  26 # home directories or similar)
  27 StrictModes yes
  28
  29 # only allow safe crypto algorithms (may break some _very_ outdated clients)
  30 # see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
  31 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  32 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  33 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
  34
  35 # enable data compression after successful login only
  36 Compression delayed
  37
  38 # only allow cryptographically safe SSH host keys (adjust paths if needed)
  39 HostKey /etc/ssh/ssh_host_ed25519_key
  40 HostKey /etc/ssh/ssh_host_ecdsa_key
  41 HostKey /etc/ssh/ssh_host_rsa_key
  42
  43 # only allow login via public key by default
  44 PubkeyAuthentication yes
  45 PasswordAuthentication no
  46 ChallengeResponseAuthentication no
  47 PermitEmptyPasswords no
  48
  49 # permit root login as there is no other user in IPFire 2.x
  50 PermitRootLogin yes
  51
  52 # ignore user ~/.rhost* files
  53 IgnoreRhosts yes
  54
  55 # ignore user known hosts file
  56 IgnoreUserKnownHosts yes
  57
  58 # ignore user environments
  59 PermitUserEnvironment no
  60
  61 # do not allow any kind of forwarding (provides only low security)
  62 # some of them might need to be re-enabled if SSH server is a jump platform
  63 X11Forwarding no
  64 AllowTcpForwarding no
  65 AllowAgentForwarding no
  66 PermitTunnel no
  67 GatewayPorts no
  68 PermitOpen none
  69
  70 # detect broken sessions by sending keep-alive messages to
  71 # clients (both via TCP and SSH)
  72 TCPKeepAlive yes
  73 ClientAliveInterval 10
  74
  75 # close unresponsive SSH sessions which fail to answer keep-alive
  76 ClientAliveCountMax 6
  77
  78 # add support for SFTP
  79 Subsystem       sftp    /usr/lib/openssh/sftp-server
  80
  81 # EOF