peerchemist / Peerbox

DEPRECATED
GNU General Public License v3.0
19 stars 22 forks source link

sshd_config security hardening #8

Closed Thireus closed 8 years ago

Thireus commented 9 years ago

I would suggest that we apply these following rules at the end of sshd_config file:

### START - SSH Hardening by Thireus, NSA-Proof? ###

AddressFamily inet
AllowTcpForwarding no
AuthorizedKeysFile %h/.ssh/authorized_keys
GatewayPorts no
HostbasedAuthentication no
IgnoreRhosts yes
#PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitTunnel no
Protocol 2
PubkeyAuthentication yes
ServerKeyBits 2048
StrictModes yes
UsePrivilegeSeparation yes
X11Forwarding no

# MACs ULTRA SECURITY!
#MACs hmac-sha2-512-etm@openssh.com
# MACs ULTRA SECURITY (Compat)!
#MACs  hmac-sha2-512
## MACs STRONG (Compat)
#MACs hmac-sha2-512,hmac-sha2-256
# MACs Compat (i.e. Debian 6, Putty)
#MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1

# Ciphers ULTRA SECURITY (only new versions)!
#Ciphers chacha20-poly1305@openssh.com
# Ciphers STRONG (only new versions)!
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
# Ciphers Compat
#Ciphers aes256-ctr

# KexAlgorithms ULTRA SECURITY!
#KexAlgorithms diffie-hellman-group-exchange-sha256
# KexAlgorithms Compat
#KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

# List users allowed to SSH
AllowUsers sunny

### END ###

MACs, Ciphers and KexAlgorithms cannot be set as they would prevent users from accessing Peerbox if they are using an SSH client version that doesn't support the latest and strongest algorithms.