ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-06 07:22:14 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/etc/ssh/sshd_config.debian7
Stéphane Lesimple a68ccb3f8c feat: add new OSes and deprecate old ones 
add:
- Debian 11
- RockyLinux 8

remove:
- OpenSUSE Leap 15.2
- Old minor versions of CentOS 7.x
- Old minor versions of CentOS 8.x
2021-12-21 12:00:04 +01:00

122 lines
3.6 KiB
Text
Raw Blame History

# Hardened SSHD bastion config -- modify wisely!
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
# With additional restrictions where applicable
# -lo and -rt users only have local console login
DenyUsers *-rt
DenyUsers *-lo
# hardened params follow. every non-needed feature is disabled by default,
# following the principle of least rights and least features (more enabled
# features mean a more important attack surface).
# === FEATURES ===
# disable non-needed sshd features
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
PermitUserEnvironment no
GatewayPorts no
# === INFORMATION DISCLOSURE ===
# don't yell to the world that we're running debian,
# this disables the debian string version on the server hello message
DebianBanner no
# however, display a legal notice for each connection
Banner /etc/ssh/banner
# don't print the bastion MOTD on connection
PrintMotd no
# === CRYPTOGRAPHY ===
# enforce the use of ssh version 2 protocol, version 1 is disabled.
# all sshd_config options regarding protocol 1 are therefore omitted.
Protocol 2
# only use hostkeys with RSA
HostKey /etc/ssh/ssh_host_rsa_key
# list of allowed ciphers.
# aes is a trusted standard, only allow it's ctr mode (cbc is not considered secure)
# we deny arcfour(rc4), 3des, blowfish and cast
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
# list of allowed message authentication code algorithms.
# we prefer umac (has been proven secure) then sha2.
# we deny md5 and sha1
MACs umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
# List of allowed key exchange algorithms.
# we allow diffie hellman with group exchange using sha256 which is
# the most secure dh-based kex.
# we avoid algorithms based on the disputed NIST curves, and anything based
# on sha1.
KexAlgorithms diffie-hellman-group-exchange-sha256
# === AUTHENTICATION ===
# we allow only public key authentication ...
PubkeyAuthentication yes
# ... not password
PasswordAuthentication no
# ... keyboard interactive (needed for MFA through PAM)
KbdInteractiveAuthentication yes
# ... not kerberos
KerberosAuthentication no
# ... challenge-response (needed for MFA through PAM)
ChallengeResponseAuthentication yes
# ... not host-based
HostbasedAuthentication no
# ... and not gssapi auth.
GSSAPIAuthentication no
GSSAPIKeyExchange no
# just in case, we also explicitly deny empty passwords
PermitEmptyPasswords no
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
# which is not a security issue because the AuthenticationMethods below force the use of
# either publickey or publickey+keyboard-interactive, hence password-only login is never
# possible, for root or any other account for that matter
PermitRootLogin yes
# === LOGIN ===
# disconnect after 30 seconds if user didn't log in successfully
LoginGraceTime 30
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
MaxSessions 1
# maximum concurrent unauth connections to the sshd daemon
MaxStartups 50:30:500
# accept LANG and LC_* vars (also includes LC_BASTION)
AcceptEnv LANG LC_*
# === SYSTEM ===
# sshd log level at verbose in auth facility for auditing purposes
LogLevel VERBOSE
SyslogFacility AUTH
# check sanity of user HOME dir before allowing user to login
StrictModes yes
# never use dns (slows down connections)
UseDNS no
# use PAM facility
UsePAM yes
# Debian 7 doesn't support the AuthenticationMethods, hence we can't benefit
# from the bastion-nopam group (accountModify --pam-auth-bypass will not work)
#Match Group bastion-nopam
# AuthenticationMethods publickey
#Match All
# AuthenticationMethods publickey,keyboard-interactive:pam
Reference in a new issue View git blame Copy permalink