From 2ada07cf66727ea66283c55c0ba078489b3db94e Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 7 Aug 2025 22:23:03 -0500 Subject: [PATCH] Add SSH hardening config --- etc/ssh/ssh_config.d/30_security-misc.conf | 19 +++++ etc/ssh/sshd_config.d/30_security-misc.conf | 79 +++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 etc/ssh/ssh_config.d/30_security-misc.conf create mode 100644 etc/ssh/sshd_config.d/30_security-misc.conf diff --git a/etc/ssh/ssh_config.d/30_security-misc.conf b/etc/ssh/ssh_config.d/30_security-misc.conf new file mode 100644 index 0000000..6693f72 --- /dev/null +++ b/etc/ssh/ssh_config.d/30_security-misc.conf @@ -0,0 +1,19 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSH, such as +## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not +## need to be system-wide, you may also consider placing overrides in +## ~/.ssh/config. + +Host * + VisualHostKey yes + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org + ## To force the use of quantum-resistant key exchange algorithms, override + ## the above with + # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 + PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 diff --git a/etc/ssh/sshd_config.d/30_security-misc.conf b/etc/ssh/sshd_config.d/30_security-misc.conf new file mode 100644 index 0000000..5abf9cc --- /dev/null +++ b/etc/ssh/sshd_config.d/30_security-misc.conf @@ -0,0 +1,79 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSHD, such as +## '/etc/ssh/sshd_config.d/50_user.conf'. + +## This is okay because of strict firewall. For an onion-only server, listen +## on 127.0.0.1. +ListenAddress 0.0.0.0 + +## Number of allowed login attempts per connection. +MaxAuthTries 3 + +## Require strong ciphers and algorithms. +HostKey /etc/ssh/ssh_host_ed25519_key +HostKeyAlgorithms ssh-ed25519 +PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org +## To force the use of quantum-resistant key exchange algorithms, override the +## above with +# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + +## Override with 'no' to fully deny root login, or leave this as +## 'prohibit-password' for denying root password login but still allowing +## other authentication methods such as public key. +PermitRootLogin prohibit-password + +## Public key authentication is transparent, non-interactive and more secure. +PasswordAuthentication no + +## Change to 'yes' to enable challenge-response passwords (beware issues with +## some PAM modules and threads) +KbdInteractiveAuthentication no + +## PAM can be used for account and session processing when using +## ChallengeResponseAuthentication or PasswordAuthentication. +## +## Depending on your PAM configuration, PAM authentication via +## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin +## without-password". +## +## If you want PAM account and session checks to run without PAM +## authentication, then enable this but set PasswordAuthentication and +## ChallengeResponseAuthentication to 'no'. +## +## The default upstream is 'no', Debian sets this to 'yes'. If using a locked +## account, read: +## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table +## We set it to 'yes' to work with libpam-tmpdir. +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir +## Also folders such as '/run/user/1000' will exist thanks to PAM. +## The absence of that folder can lead to issues (such as with msgcollector). +UsePAM yes + +## Block dangerous forwarding. +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no + +## Hide unnecessary login banners. +PrintMotd no +#Banner /etc/issue.net +#Hiding Debian version from SSH banner (obscurity) +DebianBanner no + +## Some options are dangerous but may be required in certain circumstances. As +## an example, if forwarding is required, selectively allow it with a 'Match' +## block. Consider a new separate user named 'tunnel' which wants to forward +## its local port to be available on the server on port 443. Note that a +## tunnel user doesn't even require a TTY nor a shell, so don't forget to +## change the 'tunnel' shell to something that prevents login such as +## '/usr/sbin/nologin'. +#Match User tunnel +# AllowTcpForwarding yes +# PermitListen localhost:443 +# PermitTTY no