From a6a4f3085b8d00423a037ebdd6de23be58f1c7ab Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 1 Jul 2024 13:42:21 -0700
Subject: [PATCH] More SSH Hardening

Signed-off-by: Tommy <contact@tommytran.io>
---
 etc/ssh/sshd_config.d/10-custom.conf | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/etc/ssh/sshd_config.d/10-custom.conf b/etc/ssh/sshd_config.d/10-custom.conf
index d250158..612614a 100644
--- a/etc/ssh/sshd_config.d/10-custom.conf
+++ b/etc/ssh/sshd_config.d/10-custom.conf
@@ -8,26 +8,32 @@ MACs -*
 
 # Security hardening
 AuthorizedKeysFile .ssh/authorized_keys
+Compression no
+DisableForwarding yes
 LoginGraceTime 15s
 MaxAuthTries 1
+PermitUserRC no
 StrictModes yes
+UseDNS no
+
+# Use KeepAlive over SSH instead of with TCP to prevent spoofing
+TCPKeepAlive no
+ClientAliveInterval 15
+ClientAliveCountMax 4
 
 ## Use PAM for session checks here but authentication is disabled below
+## Also, this prevents running sshd as non-root
 UsePAM yes
 
 # Disabling unused authentication methods
 ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+HostbasedAuthentication no
 PasswordAuthentication no
 PermitRootLogin no
+PermitEmptyPasswords no
 KbdInteractiveAuthentication no
 KerberosAuthentication no
-GSSAPIAuthentication no
-
-# Disabling unused features
-AllowAgentForwarding no
-AllowTcpForwarding no
-PermitTunnel no
-X11Forwarding no
 
 # Displaying info
 Banner /etc/issue.net