You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
75 lines
1.6 KiB
75 lines
1.6 KiB
3 years ago
|
# Hardened SSHD config
|
||
|
# Reference: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04
|
||
|
# See the sshd_config(5) manpage for details
|
||
|
|
||
|
|
||
|
## Authentication
|
||
|
|
||
|
# Enable public key authentication
|
||
|
PubkeyAuthentication yes
|
||
|
|
||
|
# Disable PAM (when enabled, it can improperly allow access to locked accounts)
|
||
|
# For more info, see https://arlimus.github.io/articles/usepam/
|
||
|
UsePAM no
|
||
|
|
||
|
# Disable password authentication
|
||
|
PasswordAuthentication no
|
||
|
|
||
|
# Disable rhosts authentication
|
||
|
IgnoreRhosts yes
|
||
|
|
||
|
# Disable challenge-response authentication
|
||
|
ChallengeResponseAuthentication no
|
||
|
|
||
|
# Disable kerberos authentication
|
||
|
KerberosAuthentication no
|
||
|
|
||
|
|
||
|
## Login
|
||
|
|
||
|
# Disable root login
|
||
|
PermitRootLogin no
|
||
|
|
||
|
# Disallow empty passwords
|
||
|
PermitEmptyPasswords no
|
||
|
|
||
|
# Set maximum authentication attempts, prevent brute-force attacks
|
||
|
MaxAuthTries 3
|
||
|
|
||
|
# Restrict authentication time between connect and auth
|
||
|
LoginGraceTime 20
|
||
|
|
||
|
# Use DNS hostname checking
|
||
|
UseDNS yes
|
||
|
|
||
|
|
||
|
## Security
|
||
|
|
||
|
# Disable X11 forwarding
|
||
|
X11Forwarding no
|
||
|
|
||
|
# Disable environment variable passing
|
||
|
PermitUserEnvironment no
|
||
|
|
||
|
# Disable forwarding/tunneling
|
||
|
AllowAgentForwarding no
|
||
|
AllowTcpForwarding no
|
||
|
PermitTunnel no
|
||
|
|
||
|
# Deny vulnerable SSH protocol 1
|
||
|
Protocol 2
|
||
|
|
||
|
# Disable verbose ssh banner
|
||
|
DebianBanner no
|
||
|
|
||
|
## Other features
|
||
|
|
||
|
# Print motd after interactive login
|
||
|
PrintMotd yes
|
||
|
|
||
|
|
||
|
## Notes
|
||
|
|
||
|
# Restricting user shell: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-3-restricting-the-shell-of-a-user
|
||
|
# User-specific hardening: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-4-advanced-hardening
|