Linux-Setup-Scripts/etc/ssh/sshd_config.d/10-custom.conf

# Encryption hardening
HostKey /etc/ssh/ssh_host_ed25519_key
HostKeyAlgorithms ssh-ed25519
KexAlgorithms sntrup761x25519-sha512@openssh.com
PubkeyAcceptedKeyTypes ssh-ed25519
Ciphers aes256-gcm@openssh.com
MACs -*

# Security hardening
AuthenticationMethods publickey
AuthorizedKeysFile .ssh/authorized_keys
Compression no
DisableForwarding yes
LoginGraceTime 15s
MaxAuthTries 1
PermitUserEnvironment no
PermitUserRC no
StrictModes yes
UseDNS no

# Use KeepAlive over SSH instead of with TCP to prevent spoofing
TCPKeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 4

## Use PAM for session checks here but authentication is disabled below
## Also, this prevents running sshd as non-root
UsePAM yes

# Disabling unused authentication methods
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
KerberosAuthentication no

# Displaying info
Banner /etc/issue.net
PrintLastLog yes
PrintMotd yes
Update SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:36:36 -04:00			`# Encryption hardening`
Create 10-custom.conf Signed-off-by: Tommy <contact@tommytran.io> 2023-10-10 15:20:29 -04:00			`HostKey /etc/ssh/ssh_host_ed25519_key`
			`HostKeyAlgorithms ssh-ed25519`
Update SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:36:36 -04:00			`KexAlgorithms sntrup761x25519-sha512@openssh.com`
Create 10-custom.conf Signed-off-by: Tommy <contact@tommytran.io> 2023-10-10 15:20:29 -04:00			`PubkeyAcceptedKeyTypes ssh-ed25519`
			`Ciphers aes256-gcm@openssh.com`
			`MACs -*`
Update SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:36:36 -04:00
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`# Security hardening`
Even more SSHD Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 17:03:54 -04:00			`AuthenticationMethods publickey`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`AuthorizedKeysFile .ssh/authorized_keys`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`Compression no`
			`DisableForwarding yes`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`LoginGraceTime 15s`
			`MaxAuthTries 1`
Even more SSHD Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 17:03:54 -04:00			`PermitUserEnvironment no`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`PermitUserRC no`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`StrictModes yes`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`UseDNS no`

			`# Use KeepAlive over SSH instead of with TCP to prevent spoofing`
			`TCPKeepAlive no`
			`ClientAliveInterval 15`
			`ClientAliveCountMax 4`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00
			`## Use PAM for session checks here but authentication is disabled below`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`## Also, this prevents running sshd as non-root`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`UsePAM yes`

Update SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:36:36 -04:00			`# Disabling unused authentication methods`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`ChallengeResponseAuthentication no`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`GSSAPIAuthentication no`
			`HostbasedAuthentication no`
Add /etc/issue.net banner Signed-off-by: Tommy <contact@tommytran.io> 2024-02-13 18:05:52 -05:00			`PasswordAuthentication no`
Create 10-custom.conf Signed-off-by: Tommy <contact@tommytran.io> 2023-10-10 15:20:29 -04:00			`PermitRootLogin no`
More SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 16:42:21 -04:00			`PermitEmptyPasswords no`
More hardening options Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:57:20 -04:00			`KbdInteractiveAuthentication no`
Create 10-custom.conf Signed-off-by: Tommy <contact@tommytran.io> 2023-10-10 15:20:29 -04:00			`KerberosAuthentication no`
Update SSH Hardening Signed-off-by: Tommy <contact@tommytran.io> 2024-07-01 15:36:36 -04:00
			`# Displaying info`
			`Banner /etc/issue.net`
			`PrintLastLog yes`
			`PrintMotd yes`