Зміст

Налаштування SSHD

Баннер

Створити файл із банером /etc/banner:

/etc/banner
************************************************************************************
* This computer system is for authorized use only. All activity is logged and
* regularly checked by system administrators. Individuals attempting to connect to, 
* port-scan, deface, hack, or otherwise interfere with any services on this system 
* will be reported.
************************************************************************************

Конфіг SSHD

Створюємо файл /etc/ssh/sshd_config.d/local.conf:

/etc/ssh/sshd_config.d/local.conf
# My config, based on https://infosec.mozilla.org/guidelines/openssh.html
Port 22
AddressFamily inet
 
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
 
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
 
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
PubkeyAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
 
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
 
# CANNOT REDEFINE NEXT: ssh says subsystem sftp is already defined
# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
#Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTH -l INFO
 
# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
#
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
# Additionally, only tools such as systemd and auditd record the process session id.
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
PermitRootLogin No
 
Banner /etc/banner

Перезапустити SSHD

sudo systemctl restart ssh

працює на Дебіан 11