You've already forked RekomenciBackend
101 lines
2.7 KiB
Django/Jinja
101 lines
2.7 KiB
Django/Jinja
# Managed by Ansible - do not modify manually
|
|
# Security hardened SSH configuration
|
|
|
|
Include /etc/ssh/sshd_config.d/*.conf
|
|
|
|
# Basic settings
|
|
Port {{ security_ssh_port }}
|
|
AddressFamily any
|
|
ListenAddress 0.0.0.0
|
|
ListenAddress ::
|
|
Protocol 2
|
|
|
|
# Host keys (modern algorithms first)
|
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
HostKey /etc/ssh/ssh_host_rsa_key
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
|
|
# Cryptography settings (modern ciphers)
|
|
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
|
|
|
|
# Authentication security
|
|
PermitRootLogin {{ ssh_config.permit_root_login }}
|
|
MaxAuthTries {{ ssh_config.max_auth_tries }}
|
|
MaxSessions {{ ssh_config.max_sessions }}
|
|
ClientAliveInterval {{ ssh_config.client_alive_interval }}
|
|
ClientAliveCountMax {{ ssh_config.client_alive_count_max }}
|
|
LoginGraceTime 60
|
|
|
|
# General security settings
|
|
UsePAM {{ ssh_config.use_pam }}
|
|
X11Forwarding {{ ssh_config.x11_forwarding }}
|
|
PrintMotd no
|
|
Compression no
|
|
UseDNS no
|
|
IgnoreRhosts yes
|
|
StrictModes yes
|
|
PermitEmptyPasswords no
|
|
TCPKeepAlive yes
|
|
KbdInteractiveAuthentication no
|
|
PrintLastLog yes
|
|
|
|
# Authorization settings
|
|
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
|
|
|
# Logging
|
|
LogLevel INFO
|
|
SyslogFacility AUTH
|
|
|
|
# User restrictions
|
|
{% if ssh_config.allow_users is defined and ssh_config.allow_users %}
|
|
AllowUsers {{ ssh_config.allow_users }}
|
|
{% endif %}
|
|
{% if ssh_config.allow_groups is defined and ssh_config.allow_groups %}
|
|
AllowGroups {{ ssh_config.allow_groups }}
|
|
{% endif %}
|
|
|
|
# Key-based auth enforcement
|
|
PasswordAuthentication {{ ssh_config.password_authentication }}
|
|
PermitEmptyPasswords no
|
|
PubkeyAuthentication yes
|
|
AuthenticationMethods publickey
|
|
ChallengeResponseAuthentication {{ ssh_config.challenge_response_authentication }}
|
|
|
|
# Rekey limits
|
|
RekeyLimit 512M 1h
|
|
|
|
# Allow client to pass locale environment variables
|
|
AcceptEnv LANG LC_*
|
|
|
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
|
|
|
# Authorized key and principal controls
|
|
AuthorizedPrincipalsFile none
|
|
AuthorizedKeysCommand none
|
|
AuthorizedKeysCommandUser nobody
|
|
|
|
# Disable forwarding and tunnels unless explicitly needed
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
GatewayPorts no
|
|
PermitTunnel no
|
|
|
|
# Disable user-controlled environments and TTY manipulations
|
|
PermitUserEnvironment no
|
|
PermitTTY yes
|
|
X11UseLocalhost yes
|
|
X11DisplayOffset 10
|
|
|
|
# Limit connection attempts
|
|
MaxStartups 2:30:100
|
|
|
|
# Misc hardening
|
|
IgnoreUserKnownHosts yes
|
|
VersionAddendum none
|
|
ChrootDirectory none
|
|
|
|
Match Address 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
|
|
PermitRootLogin yes
|