mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 18:16:39 -05:00
Add SSH hardening config
This commit is contained in:
Aaron Rainbolt
parent
5f2425ba6f
commit
2ada07cf66
2 changed files with 98 additions and 0 deletions
19
etc/ssh/ssh_config.d/30_security-misc.conf
Normal file
19
etc/ssh/ssh_config.d/30_security-misc.conf
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Don't edit this file, to overwrite any options, edit a file with a higher
|
||||
## number that is read later by SSH, such as
|
||||
## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not
|
||||
## need to be system-wide, you may also consider placing overrides in
|
||||
## ~/.ssh/config.
|
||||
|
||||
Host *
|
||||
VisualHostKey yes
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
|
||||
## To force the use of quantum-resistant key exchange algorithms, override
|
||||
## the above with
|
||||
# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
|
||||
HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
|
||||
PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
|
||||
79
etc/ssh/sshd_config.d/30_security-misc.conf
Normal file
79
etc/ssh/sshd_config.d/30_security-misc.conf
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Don't edit this file, to overwrite any options, edit a file with a higher
|
||||
## number that is read later by SSHD, such as
|
||||
## '/etc/ssh/sshd_config.d/50_user.conf'.
|
||||
|
||||
## This is okay because of strict firewall. For an onion-only server, listen
|
||||
## on 127.0.0.1.
|
||||
ListenAddress 0.0.0.0
|
||||
|
||||
## Number of allowed login attempts per connection.
|
||||
MaxAuthTries 3
|
||||
|
||||
## Require strong ciphers and algorithms.
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKeyAlgorithms ssh-ed25519
|
||||
PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
|
||||
MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|
||||
KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
|
||||
## To force the use of quantum-resistant key exchange algorithms, override the
|
||||
## above with
|
||||
# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
|
||||
|
||||
## Override with 'no' to fully deny root login, or leave this as
|
||||
## 'prohibit-password' for denying root password login but still allowing
|
||||
## other authentication methods such as public key.
|
||||
PermitRootLogin prohibit-password
|
||||
|
||||
## Public key authentication is transparent, non-interactive and more secure.
|
||||
PasswordAuthentication no
|
||||
|
||||
## Change to 'yes' to enable challenge-response passwords (beware issues with
|
||||
## some PAM modules and threads)
|
||||
KbdInteractiveAuthentication no
|
||||
|
||||
## PAM can be used for account and session processing when using
|
||||
## ChallengeResponseAuthentication or PasswordAuthentication.
|
||||
##
|
||||
## Depending on your PAM configuration, PAM authentication via
|
||||
## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
|
||||
## without-password".
|
||||
##
|
||||
## If you want PAM account and session checks to run without PAM
|
||||
## authentication, then enable this but set PasswordAuthentication and
|
||||
## ChallengeResponseAuthentication to 'no'.
|
||||
##
|
||||
## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
|
||||
## account, read:
|
||||
## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
|
||||
## We set it to 'yes' to work with libpam-tmpdir.
|
||||
## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir
|
||||
## Also folders such as '/run/user/1000' will exist thanks to PAM.
|
||||
## The absence of that folder can lead to issues (such as with msgcollector).
|
||||
UsePAM yes
|
||||
|
||||
## Block dangerous forwarding.
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
X11Forwarding no
|
||||
|
||||
## Hide unnecessary login banners.
|
||||
PrintMotd no
|
||||
#Banner /etc/issue.net
|
||||
#Hiding Debian version from SSH banner (obscurity)
|
||||
DebianBanner no
|
||||
|
||||
## Some options are dangerous but may be required in certain circumstances. As
|
||||
## an example, if forwarding is required, selectively allow it with a 'Match'
|
||||
## block. Consider a new separate user named 'tunnel' which wants to forward
|
||||
## its local port to be available on the server on port 443. Note that a
|
||||
## tunnel user doesn't even require a TTY nor a shell, so don't forget to
|
||||
## change the 'tunnel' shell to something that prevents login such as
|
||||
## '/usr/sbin/nologin'.
|
||||
#Match User tunnel
|
||||
# AllowTcpForwarding yes
|
||||
# PermitListen localhost:443
|
||||
# PermitTTY no
|
||||
Loading…
Add table
Add a link
Reference in a new issue