I would suggest that we apply these following rules at the end of sshd_config file:
### START - SSH Hardening by Thireus, NSA-Proof? ###
AddressFamily inet
AllowTcpForwarding no
AuthorizedKeysFile %h/.ssh/authorized_keys
GatewayPorts no
HostbasedAuthentication no
IgnoreRhosts yes
#PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PermitTunnel no
Protocol 2
PubkeyAuthentication yes
ServerKeyBits 2048
StrictModes yes
UsePrivilegeSeparation yes
X11Forwarding no
# MACs ULTRA SECURITY!
#MACs hmac-sha2-512-etm@openssh.com
# MACs ULTRA SECURITY (Compat)!
#MACs hmac-sha2-512
## MACs STRONG (Compat)
#MACs hmac-sha2-512,hmac-sha2-256
# MACs Compat (i.e. Debian 6, Putty)
#MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
# Ciphers ULTRA SECURITY (only new versions)!
#Ciphers chacha20-poly1305@openssh.com
# Ciphers STRONG (only new versions)!
#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
# Ciphers Compat
#Ciphers aes256-ctr
# KexAlgorithms ULTRA SECURITY!
#KexAlgorithms diffie-hellman-group-exchange-sha256
# KexAlgorithms Compat
#KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
# List users allowed to SSH
AllowUsers sunny
### END ###
MACs, Ciphers and KexAlgorithms cannot be set as they would prevent users from accessing Peerbox if they are using an SSH client version that doesn't support the latest and strongest algorithms.
I would suggest that we apply these following rules at the end of sshd_config file:
MACs, Ciphers and KexAlgorithms cannot be set as they would prevent users from accessing Peerbox if they are using an SSH client version that doesn't support the latest and strongest algorithms.