ConnerWill/hardened-sshd_config

## hardened-sshd_config
##: ==============================================
##:              [ SSHD_CONFIG ]
##: ==============================================
##:  Title:  hardened-sshd_config
##:  Path:   /etc/ssh/sshd_config
##:  Author: github.com/ConnerWill
##:  Date:   2022-07-16
##:
##:  https://man.openbsd.org/sshd_config.5
##:  https://linux.die.net/man/5/sshd_config
##:
##: =============![ WARNING ]!====================
##:  The Following NIST P-curves are back-doored
##:  by the U.S. National Security Agency (NSA)
##:
##:!             ecdh-sha2-nistp256
##:!             ecdh-sha2-nistp384
##:!             ecdh-sha2-nistp521
##:!             ecdsa-sha2-nistp256
##:
##:  https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
##:  https://www.wired.com/2013/09/nsa-backdoor/
##:
##: ==============================================

Port 22
##: change port if you want

AddressFamily inet
ListenAddress 0.0.0.0

#AllowUsers USERNAME
AllowGroups ssh
DenyUsers root admin administrator
DenyGroups admin nossh

PermitRootLogin no
#PermitRootLogin forced-commands-only

PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

PermitUserEnvironment no
ChallengeResponseAuthentication no

StrictModes yes
AuthorizedKeysFile %h/.ssh/authorized_keys

LogLevel VERBOSE
MaxAuthTries 3

ClientAliveInterval 30
ClientAliveCountMax 20

HostbasedAuthentication no

Compression delayed

AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
IgnoreRhosts yes
PermitTunnel no
TCPKeepAlive yes
UseDNS no

PrintMotd no
Banner none
#Banner /etc/issue
VersionAddendum none
PrintLastLog yes

Subsystem sftp  /usr/lib/openssh/sftp-server

##: ==[ADVICE]==: Try to use ed25519 over rsa when creating keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKeyAlgorithms [email protected],[email protected],ssh-ed25519
KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected]
MACs [email protected]

####: Restrict
##: Some automated tasks such as remote, full-system backup require full
##: root access. To allow these in a secure way, instead of disabling root
##: login via SSH, it is possible to only allow root logins for selected
##: commands.
##:
##: This can be achieved by editing ` ~root/.ssh/authorized_keys `, by
##: prefixing the desired key, e.g. as follows:
##:
##:    command="/usr/lib/rsync/rrsync -ro /" ssh-rsa …
##:
##: This will allow any login with this specific key only to execute the
##: command specified between the quotes.
##:
##: The increased attack surface created by exposing the root user name
##: at login can be compensated by adding the following to ` sshd_config `:
##:
##:    PermitRootLogin forced-commands-only
##:
##: This setting will not only restrict the commands which root may
##: execute via SSH, but it will also disable the use of passwords, forcing
##: use of public key authentication for the root account.
##:
##: A slightly less restrictive alternative will allow any command
##: for root, but makes brute force attacks infeasible by enforcing public
##: key authentication. For this option, set:
##:
##:    PermitRootLogin prohibit-password
##:
####: Locking the authorized_keys file
##: Warning: Locking this file only protects against user mistakes
##: and a particular naive in-person attack.
##: It does not provide any protection against malicious programs
##: or breaches. Use multi-factor authentication, firewalling
##: and practice defence in depth to prevent breaches in the first place.
##:
##: If, for whatever reason, you think that the user in question should
##: not be able to add or change existing keys, you can prevent them from
##: manipulating the file.
##:
##: On the server, make the ` authorized_keys ` file read-only
##: for the user and deny all other permissions:
##:
##:   $ chmod 400 ~/.ssh/authorized_keys
##:
##: To prevent the user from simply changing the permissions back,
##: set the immutable bit on the ` authorized_keys ` file.
##:
##: To prevent the user from renaming the ` ~/.ssh directory ` and
##: creating a new ` ~/.ssh ` directory and ` authorized_keys ` file,
##: set the immutable bit on the ` ~/.ssh ` directory too.
##:
##: To add or remove keys, you will have to remove the immutable bit
##: from authorized_keys and make it writable temporarily.
##:
##: ==[TIP]==: It is recommended to log changes
##:            to any authorized_keys file via e.g auditd.
##:
####:

##: ==============================================
##:            [ END SSHD_CONFIG ]
##: ==============================================
	##: ==============================================
	##: [ SSHD_CONFIG ]
	##: ==============================================
	##: Title: hardened-sshd_config
	##: Path: /etc/ssh/sshd_config
	##: Author: github.com/ConnerWill
	##: Date: 2022-07-16
	##:
	##: https://man.openbsd.org/sshd_config.5
	##: https://linux.die.net/man/5/sshd_config
	##:
	##: =============![ WARNING ]!====================
	##: The Following NIST P-curves are back-doored
	##: by the U.S. National Security Agency (NSA)
	##:
	##:! ecdh-sha2-nistp256
	##:! ecdh-sha2-nistp384
	##:! ecdh-sha2-nistp521
	##:! ecdsa-sha2-nistp256
	##:
	##: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929
	##: https://www.wired.com/2013/09/nsa-backdoor/
	##:
	##: ==============================================

	Port 22
	##: change port if you want

	AddressFamily inet
	ListenAddress 0.0.0.0

	#AllowUsers USERNAME
	AllowGroups ssh
	DenyUsers root admin administrator
	DenyGroups admin nossh

	PermitRootLogin no
	#PermitRootLogin forced-commands-only

	PubkeyAuthentication yes
	PasswordAuthentication no
	PermitEmptyPasswords no

	PermitUserEnvironment no
	ChallengeResponseAuthentication no

	StrictModes yes
	AuthorizedKeysFile %h/.ssh/authorized_keys

	LogLevel VERBOSE
	MaxAuthTries 3

	ClientAliveInterval 30
	ClientAliveCountMax 20

	HostbasedAuthentication no

	Compression delayed

	AllowTcpForwarding no
	X11Forwarding no
	GatewayPorts no
	IgnoreRhosts yes
	PermitTunnel no
	TCPKeepAlive yes
	UseDNS no

	PrintMotd no
	Banner none
	#Banner /etc/issue
	VersionAddendum none
	PrintLastLog yes

	Subsystem sftp /usr/lib/openssh/sftp-server

	##: ==[ADVICE]==: Try to use ed25519 over rsa when creating keys
	HostKey /etc/ssh/ssh_host_ed25519_key
	HostKey /etc/ssh/ssh_host_rsa_key
	HostKeyAlgorithms [email protected],[email protected],ssh-ed25519
	KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
	Ciphers [email protected],[email protected]
	MACs [email protected]

	####: Restrict
	##: Some automated tasks such as remote, full-system backup require full
	##: root access. To allow these in a secure way, instead of disabling root
	##: login via SSH, it is possible to only allow root logins for selected
	##: commands.
	##:
	##: This can be achieved by editing ` ~root/.ssh/authorized_keys `, by
	##: prefixing the desired key, e.g. as follows:
	##:
	##: command="/usr/lib/rsync/rrsync -ro /" ssh-rsa …
	##:
	##: This will allow any login with this specific key only to execute the
	##: command specified between the quotes.
	##:
	##: The increased attack surface created by exposing the root user name
	##: at login can be compensated by adding the following to ` sshd_config `:
	##:
	##: PermitRootLogin forced-commands-only
	##:
	##: This setting will not only restrict the commands which root may
	##: execute via SSH, but it will also disable the use of passwords, forcing
	##: use of public key authentication for the root account.
	##:
	##: A slightly less restrictive alternative will allow any command
	##: for root, but makes brute force attacks infeasible by enforcing public
	##: key authentication. For this option, set:
	##:
	##: PermitRootLogin prohibit-password
	##:
	####: Locking the authorized_keys file
	##: Warning: Locking this file only protects against user mistakes
	##: and a particular naive in-person attack.
	##: It does not provide any protection against malicious programs
	##: or breaches. Use multi-factor authentication, firewalling
	##: and practice defence in depth to prevent breaches in the first place.
	##:
	##: If, for whatever reason, you think that the user in question should
	##: not be able to add or change existing keys, you can prevent them from
	##: manipulating the file.
	##:
	##: On the server, make the ` authorized_keys ` file read-only
	##: for the user and deny all other permissions:
	##:
	##: $ chmod 400 ~/.ssh/authorized_keys
	##:
	##: To prevent the user from simply changing the permissions back,
	##: set the immutable bit on the ` authorized_keys ` file.
	##:
	##: To prevent the user from renaming the ` ~/.ssh directory ` and
	##: creating a new ` ~/.ssh ` directory and ` authorized_keys ` file,
	##: set the immutable bit on the ` ~/.ssh ` directory too.
	##:
	##: To add or remove keys, you will have to remove the immutable bit
	##: from authorized_keys and make it writable temporarily.
	##:
	##: ==[TIP]==: It is recommended to log changes
	##: to any authorized_keys file via e.g auditd.
	##:
	####:

	##: ==============================================
	##: [ END SSHD_CONFIG ]
	##: ==============================================