Moin,
ich baue mir gerade eine sichere/paranoide Standard Konfiguration für SSH auf meinen Servern.
Gibt es weitere Ideen/Empfehlungen?
Code
Port 22
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
AddressFamily any
LogLevel INFO
# Connection
ClientAliveInterval 12
ClientAliveCountMax 5
Compression delayed
LoginGraceTime 120
MaxAuthTries 3
MaxSessions 10
MaxStartups 5:30:30
TCPKeepAlive yes
UseDNS no
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KeyRegenerationInterval 3600
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication
LoginGraceTime 120
PermitRootLogin no # yes / without-password
StrictModes yes
PermitEmptyPasswords no
AllowGroups sshlogin
PasswordAuthentication yes
PubkeyAuthentication yes
RSAAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
RhostsRSAAuthentication no
KerberosAuthentication no
UseLogin no
UsePAM yes # for challenge response
# Enable this for google authenticator
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
# Environment
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
IgnoreRhosts yes
IgnoreUserKnownHosts no
# Restrict targets for TCPForwarding
# PermitOpen 192.168.0.1:80
Display More
Viele Grüße
Christian