Hardened /etc/ssh/sshd_config

I needed to setup sftp so that:
- users in the "sftpusers" group, could access from anywhere, and be within a chroot jail
- remote secure shell full command access, is only allowed from within the internal networks, by users in the wheel or adminsxyz group.  As in, we don't want a user getting a bash shell, unless they connect to our VPN first, and are in the wheel or adminsxyz group.

# Here's the hardened config:

## Note that the "CIDR address/masklen matching" was added to openssh 5.1:
## http://www.openssh.com/txt/release-5.1

## Note that "ChrootDirectory" was added in Openssh 4.8BSD Version, and then added in Openssh 4.9:
## http://www.openssh.com/txt/release-4.8
## http://www.openssh.com/txt/release-4.9

## cat /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
Subsystem sftp internal-sftp
PermitEmptyPasswords no
HostbasedAuthentication no
RhostsRSAAuthentication no
IgnoreRhosts yes
PermitUserEnvironment no
PrintLastLog yes
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
GSSAPIAuthentication no
KerberosAuthentication no
MACs hmac-sha1
AllowUsers *
AllowGroups *
Compression no
StrictModes yes
UsePrivilegeSeparation yes
Banner /etc/issue.net
ClientAliveInterval 900
ClientAliveCountMax 0
## Disabling tunneling
PermitTunnel no
#### Disable all authentication methods, which will only be enabled per the match blocks criteria below
PasswordAuthentication no
## Note, ChallengeResponseAuthentication is not allowed to be specified within a "Match block", so it will stay disabled
ChallengeResponseAuthentication no
RSAAuthentication no
PubkeyAuthentication no
#### Allow only admins within the internal network to get a secure shell ####
#### For reference, the internal networks are:
## CIDR: 10.0.0.0/8
### NETWORK RANGE: 10.0.0.0 - 10.255.255.255
## CIDR: 169.254.0.0/16
### NETWORK RANGE: 169.254.0.0 - 169.254.255.255
## CIDR: 172.16.0.0/12
### NETWORK RANGE: 172.16.0.0 - 172.31.255.255
## CIDR: 192.168.0.0/16
### NETWORK RANGE: 192.168.0.0 - 192.168.255.255
## CIDR: fc00::/7
### NETWORK RANGE: FC00: - FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
## CIDR: fe80::/10
### NETWORK RANGE: FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
## CIDR: fec0::/10
### NETWORK RANGE: FEC0:: - FEFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
####
Match Group wheel,adminsxyz Address 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16,fc00::/7,fe80::/10,fec0::/10
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
####
Match Group sftpusers
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
ChrootDirectory /sftp/%u
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp

During VMware SRM recovery plan testing, some times a VM will get marked dirty, and will boot into the “System Recovery Options”.
When it’s in “System Recovery Options”, it will just stay there, until the the VM’s power is reset
I can reset the VM’s power, then it boots up fine.
To reset power, I do that either manually, or automatically (after a short timeout) by enabling the VMware vSphere HA\VM Monitoring for that Cluster.

The fix is to not have the VM to boot into “System Recovery Options” console, but to always boot into windows.
If the “Time to display recovery options when needed:” is set, if a system has a boot up issue, then instead of booting in “System Recovery Options”, it will instead just show the boot up menu for 30 seconds (if using the default timeout), then will boot up windows normally.
If you go to: Control Panel \ System and Security \ System \ Advanced system settings, it will run open an elevated prompt to run:
C:\Windows\System32\SystemPropertiesAdvanced.exe
Then go to: “Advanced” tab \ Startup and recovery \ Settings
Then check to enable the “Time to display recovery options when needed:”
The issue about that is if you need to do it programmically.
I wrote the below power shell script to do this for you.
The commands will need to be run in an elevated context.


#### Enable the checkbox for "Time to display recovery options when needed:" and set to 10 seconds ####
## This script assumes that the %systemroot% is c:\windows\
#
# first make a backup
copy C:\windows\bootstat.dat C:\windows\bootstat.dat.backup
#
# If for some odd reason, the Advanced system settings is open, then close it, or else it will have a file lock on the bootstat.dat file
C:\windows\system32\taskkill.exe /f /im SystemPropertiesAdvanced.exe
#
# temporarily remove the "system" attribute from bootstat.dat
attrib -s C:\windows\bootstat.dat
#
# for "System Recovery Options" to ever work, which you might need one day, the bootstat.dat file needs to NOT have NTFS Compression, but must be uncompressed, per KB309481
compact /u C:\windows\bootstat.dat
#
# Read in the file, bootstat.dat
$bytes = [System.IO.File]::ReadAllBytes("c:\windows\bootstat.dat")
#
# set the offset to 8
$offset = 8
#
# offset 8: default setting is 0x00
# offset 8: 0x00 disables, 0x01 enables
$bytes[$offset] = 0x01
#
# offset 9: default setting is 0x1E
# offset 9: 0x1E is 30seconds, 0x0A is 10seconds.
$bytes[$offset+1] = 0x0A
#
# write back the file with the new values
[System.IO.File]::WriteAllBytes("c:\windows\bootstat.dat", $bytes)
# Set the system attribute on bootstat.dat
attrib +s C:\windows\bootstat.dat

Preparing to Learn VMware version 6

VMware Feature Walk Through:
http://featurewalkthrough.vmware.com/

Hands on labs:
http://labs.hol.vmware.com/HOL/catalogs/
http://docs.hol.vmware.com/catalog
http://blogs.vmware.com/hol/
https://labs.vmware.com/nee/

VMware Education:
http://mylearn.vmware.com/portals/www/

Nested ESXi:
https://labs.vmware.com/flings/vmware-tools-for-nested-esxi
http://www.virtuallyghetto.com/2013/11/w00t-vmware-tools-for-nested-esxi.html
http://www.v-front.de/2013/11/vmware-tools-for-nested-esxi-and-how-to.html
http://www.vexperienced.co.uk/2012/10/22/home-lab-a-scalable-vsphere-whitebox/
CPU Requirements:
http://www.virtuallyghetto.com/2012/09/having-difficulties-enabling-nested.html

VMware User Community VIBs:
https://vibsdepot.v-front.de

VMware VCAP5-DCA study guides:
http://www.michaelm.info/blog/?p=1365
http://www.myvmwareblog.com/2013/01/14/vcap5-dca-study-resources/
http://www.valcolabs.com/vcap5-dca/
http://thesaffageek.co.uk/vsphere-5-study-resources/vcap5-dca-dcd/
http://professionalvmware.com/brownbags/ (vBrownBags)

Check out “flings”, as there’s a ton of useful tools:
https://labs.vmware.com/

Autolab:
http://www.labguides.com/

Visio diagram of an Autolab environment:
http://www.vexperienced.co.uk/2014/12/01/visio-diagram-of-an-autolab-environment/