Hardened /etc/ssh/sshd_config

I needed to setup sftp so that:
- users in the "sftpusers" group, could access from anywhere, and be within a chroot jail
- remote secure shell full command access, is only allowed from within the internal networks, by users in the wheel or adminsxyz group.  As in, we don't want a user getting a bash shell, unless they connect to our VPN first, and are in the wheel or adminsxyz group.

# Here's the hardened config:

## Note that the "CIDR address/masklen matching" was added to openssh 5.1:
## http://www.openssh.com/txt/release-5.1

## Note that "ChrootDirectory" was added in Openssh 4.8BSD Version, and then added in Openssh 4.9:
## http://www.openssh.com/txt/release-4.8
## http://www.openssh.com/txt/release-4.9

## cat /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
Subsystem sftp internal-sftp
PermitEmptyPasswords no
HostbasedAuthentication no
RhostsRSAAuthentication no
IgnoreRhosts yes
PermitUserEnvironment no
PrintLastLog yes
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
GSSAPIAuthentication no
KerberosAuthentication no
MACs hmac-sha1
AllowUsers *
AllowGroups *
Compression no
StrictModes yes
UsePrivilegeSeparation yes
Banner /etc/issue.net
ClientAliveInterval 900
ClientAliveCountMax 0
## Disabling tunneling
PermitTunnel no
#### Disable all authentication methods, which will only be enabled per the match blocks criteria below
PasswordAuthentication no
## Note, ChallengeResponseAuthentication is not allowed to be specified within a "Match block", so it will stay disabled
ChallengeResponseAuthentication no
RSAAuthentication no
PubkeyAuthentication no
#### Allow only admins within the internal network to get a secure shell ####
#### For reference, the internal networks are:
## CIDR: 10.0.0.0/8
### NETWORK RANGE: 10.0.0.0 - 10.255.255.255
## CIDR: 169.254.0.0/16
### NETWORK RANGE: 169.254.0.0 - 169.254.255.255
## CIDR: 172.16.0.0/12
### NETWORK RANGE: 172.16.0.0 - 172.31.255.255
## CIDR: 192.168.0.0/16
### NETWORK RANGE: 192.168.0.0 - 192.168.255.255
## CIDR: fc00::/7
### NETWORK RANGE: FC00: - FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
## CIDR: fe80::/10
### NETWORK RANGE: FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
## CIDR: fec0::/10
### NETWORK RANGE: FEC0:: - FEFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
####
Match Group wheel,adminsxyz Address 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16,fc00::/7,fe80::/10,fec0::/10
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
####
Match Group sftpusers
PasswordAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
ChrootDirectory /sftp/%u
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s