the-bastion/etc/ssh/sshd_config.debian7

# Hardened SSHD bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With additional restrictions where applicable

# -lo and -rt users only have local console login
DenyUsers *-rt
DenyUsers *-lo

# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).

# === FEATURES ===

# disable non-needed sshd features
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PermitUserEnvironment no
GatewayPorts no

# === INFORMATION DISCLOSURE ===

# don't yell to the world that we're running debian,
# this disables the debian string version on the server hello message
DebianBanner no

# however, display a legal notice for each connection
Banner /etc/ssh/banner

# don't print the bastion MOTD on connection
PrintMotd no

# === CRYPTOGRAPHY ===

# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2

# only use hostkeys with RSA
HostKey /etc/ssh/ssh_host_rsa_key

# list of allowed ciphers.
# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
Ciphers aes256-ctr,aes192-ctr,aes128-ctr

# list of allowed message authentication code algorithms.
# we prefer umac (has been proven secure) then sha2.
# we deny md5 and sha1
MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256

# List of allowed key exchange algorithms.
# we allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
KexAlgorithms diffie-hellman-group-exchange-sha256

# === AUTHENTICATION ===

# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password
PasswordAuthentication no
# ... keyboard interactive (needed for MFA through PAM)
KbdInteractiveAuthentication yes
# ... not kerberos
KerberosAuthentication no
# ... challenge-response (needed for MFA through PAM)
ChallengeResponseAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no

# just in case, we also explicitly deny empty passwords
PermitEmptyPasswords no

# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
# which is not a security issue because the AuthenticationMethods below force the use of
# either publickey or publickey+keyboard-interactive, hence password-only login is never
# possible, for root or any other account for that matter
PermitRootLogin yes

# === LOGIN ===

# disconnect after 30 seconds if user didn't log in successfully
LoginGraceTime 30

# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
MaxSessions 1

# maximum concurrent unauth connections to the sshd daemon
MaxStartups 50:30:500

# accept LANG and LC_* vars (also includes LC_BASTION)
AcceptEnv LANG LC_*

# === SYSTEM ===

# Use kernel sandbox mechanisms where possible in unprivilegied processes (seccomp)
UsePrivilegeSeparation sandbox

# sshd log level at verbose in auth facility for auditing purposes
LogLevel VERBOSE
SyslogFacility AUTH

# check sanity of user HOME dir before allowing user to login
StrictModes yes

# never use dns (slows down connections)
UseDNS no

# use PAM facility
UsePAM yes

# Debian 7 doesn't support the AuthenticationMethods, hence we can't benefit
# from the bastion-nopam group (accountModify --pam-auth-bypass will not work)
#Match Group bastion-nopam
#	AuthenticationMethods publickey
#Match All
#	AuthenticationMethods publickey,keyboard-interactive:pam
Initial commit 2020-10-16 00:32:37 +08:00			`# Hardened SSHD bastion config -- modify wisely!`
			`# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH`
			`# With additional restrictions where applicable`

			`# -lo and -rt users only have local console login`
			`DenyUsers *-rt`
			`DenyUsers *-lo`

			`# hardened params follow. every non-needed feature is disabled by default,`
			`# following the principle of least rights and least features (more enabled`
			`# features mean a more important attack surface).`

			`# === FEATURES ===`

			`# disable non-needed sshd features`
			`AllowAgentForwarding no`
			`AllowTcpForwarding no`
			`X11Forwarding no`
			`PermitTunnel no`
			`PermitUserEnvironment no`
			`GatewayPorts no`

			`# === INFORMATION DISCLOSURE ===`

			`# don't yell to the world that we're running debian,`
			`# this disables the debian string version on the server hello message`
			`DebianBanner no`

			`# however, display a legal notice for each connection`
			`Banner /etc/ssh/banner`

			`# don't print the bastion MOTD on connection`
			`PrintMotd no`

			`# === CRYPTOGRAPHY ===`

			`# enforce the use of ssh version 2 protocol, version 1 is disabled.`
			`# all sshd_config options regarding protocol 1 are therefore omitted.`
			`Protocol 2`

			`# only use hostkeys with RSA`
			`HostKey /etc/ssh/ssh_host_rsa_key`

			`# list of allowed ciphers.`
			`# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure)`
			`# we deny arcfour(rc4), 3des, blowfish and cast`
			`Ciphers aes256-ctr,aes192-ctr,aes128-ctr`

			`# list of allowed message authentication code algorithms.`
			`# we prefer umac (has been proven secure) then sha2.`
			`# we deny md5 and sha1`
			`MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256`

			`# List of allowed key exchange algorithms.`
			`# we allow diffie hellman with group exchange using sha256 which is`
			`# the most secure dh-based kex.`
			`# we avoid algorithms based on the disputed NIST curves, and anything based`
			`# on sha1.`
			`KexAlgorithms diffie-hellman-group-exchange-sha256`

			`# === AUTHENTICATION ===`

			`# we allow only public key authentication ...`
			`PubkeyAuthentication yes`
			`# ... not password`
			`PasswordAuthentication no`
			`# ... keyboard interactive (needed for MFA through PAM)`
			`KbdInteractiveAuthentication yes`
			`# ... not kerberos`
			`KerberosAuthentication no`
			`# ... challenge-response (needed for MFA through PAM)`
			`ChallengeResponseAuthentication yes`
			`# ... not host-based`
			`HostbasedAuthentication no`
			`# ... and not gssapi auth.`
			`GSSAPIAuthentication no`
			`GSSAPIKeyExchange no`

chore: fix typos everywhere 2020-11-06 01:36:17 +08:00			`# just in case, we also explicitly deny empty passwords`
Initial commit 2020-10-16 00:32:37 +08:00			`PermitEmptyPasswords no`

			`# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,`
			`# which is not a security issue because the AuthenticationMethods below force the use of`
			`# either publickey or publickey+keyboard-interactive, hence password-only login is never`
			`# possible, for root or any other account for that matter`
			`PermitRootLogin yes`

			`# === LOGIN ===`

			`# disconnect after 30 seconds if user didn't log in successfully`
			`LoginGraceTime 30`

			`# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)`
			`MaxSessions 1`

			`# maximum concurrent unauth connections to the sshd daemon`
			`MaxStartups 50:30:500`

			`# accept LANG and LC_* vars (also includes LC_BASTION)`
			`AcceptEnv LANG LC_*`

			`# === SYSTEM ===`

			`# Use kernel sandbox mechanisms where possible in unprivilegied processes (seccomp)`
			`UsePrivilegeSeparation sandbox`

			`# sshd log level at verbose in auth facility for auditing purposes`
			`LogLevel VERBOSE`
			`SyslogFacility AUTH`

			`# check sanity of user HOME dir before allowing user to login`
			`StrictModes yes`

			`# never use dns (slows down connections)`
			`UseDNS no`

			`# use PAM facility`
			`UsePAM yes`

			`# Debian 7 doesn't support the AuthenticationMethods, hence we can't benefit`
			`# from the bastion-nopam group (accountModify --pam-auth-bypass will not work)`
			`#Match Group bastion-nopam`
			`# AuthenticationMethods publickey`
			`#Match All`
			`# AuthenticationMethods publickey,keyboard-interactive:pam`