108 lines
2.1 KiB
Django/Jinja
108 lines
2.1 KiB
Django/Jinja
# --- MAIN ---
|
|
|
|
# Change default port 22 → {{ ssh_port }} (reduces noise from scanners)
|
|
Port {{ ssh_port }}
|
|
|
|
# Optionally limit interfaces (default is all)
|
|
# ListenAddress 0.0.0.0 # IPv4
|
|
# ListenAddress :: # IPv6
|
|
|
|
# Allow only SSH protocol version 2 (v1 is insecure)
|
|
Protocol 2
|
|
|
|
|
|
# --- AUTHENTICATION ---
|
|
|
|
# Disable root login (only via sudo)
|
|
PermitRootLogin prohibit-password
|
|
|
|
# Disable password login (keys only)
|
|
PasswordAuthentication no
|
|
|
|
# Disable interactive keyboard auth (OTP, TOTP, etc.)
|
|
KbdInteractiveAuthentication no
|
|
|
|
# Disable challenge-response auth (legacy)
|
|
ChallengeResponseAuthentication no
|
|
|
|
# Enable public key authentication (main method)
|
|
PubkeyAuthentication yes
|
|
|
|
|
|
# --- ACCESS ---
|
|
|
|
# Allow only specific user
|
|
# AllowUsers adminuser
|
|
# Or alternatively allow a group:
|
|
# AllowGroups sshusers
|
|
|
|
|
|
# --- FUNCTION RESTRICTIONS ---
|
|
|
|
# Disallow empty passwords
|
|
PermitEmptyPasswords no
|
|
|
|
# Disallow user environment modification (~/.ssh/environment)
|
|
PermitUserEnvironment no
|
|
|
|
# Disable X11 forwarding (no GUI sessions)
|
|
X11Forwarding no
|
|
|
|
# Disable TCP forwarding (no tunnels)
|
|
AllowTcpForwarding yes
|
|
|
|
# Disable gateway ports (no external binding)
|
|
GatewayPorts no
|
|
|
|
# Disable VPN tunnels via SSH
|
|
PermitTunnel no
|
|
|
|
# Disable SSH agent forwarding
|
|
AllowAgentForwarding yes
|
|
|
|
|
|
# --- ANTI-BRUTEFORCE & STABILITY ---
|
|
|
|
# Login timeout (20 seconds)
|
|
LoginGraceTime 20
|
|
|
|
# Max 3 auth attempts per connection
|
|
MaxAuthTries 3
|
|
|
|
# Limit simultaneous connections
|
|
# Allow 10 new, start dropping at 30, max 60 queued
|
|
MaxStartups 10:30:60
|
|
|
|
|
|
# --- SESSION ACTIVITY ---
|
|
|
|
# Ping client every 300s (5 minutes)
|
|
ClientAliveInterval 300
|
|
|
|
# Disconnect if no response twice
|
|
ClientAliveCountMax 2
|
|
|
|
# Disable TCP keepalive
|
|
TCPKeepAlive no
|
|
|
|
# Skip DNS checks for faster login
|
|
UseDNS no
|
|
|
|
|
|
# --- SFTP ---
|
|
|
|
# Use internal SFTP subsystem
|
|
Subsystem sftp internal-sftp
|
|
|
|
|
|
# --- CRYPTOGRAPHY (optional) ---
|
|
|
|
# Modern key exchange algorithms (if supported)
|
|
# KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
|
|
|
|
# Modern ciphers
|
|
# Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
|
|
|
# Modern MAC algorithms
|
|
# MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com
|