Користувальницькькі налаштування
software:os:linux:sshd
Налаштування SSHD
Баннер
Створити файл із банером /etc/banner:
- /etc/banner
************************************************************************************ * This computer system is for authorized use only. All activity is logged and * regularly checked by system administrators. Individuals attempting to connect to, * port-scan, deface, hack, or otherwise interfere with any services on this system * will be reported. ************************************************************************************
Конфіг SSHD
Створюємо файл /etc/ssh/sshd_config.d/local.conf:
- /etc/ssh/sshd_config.d/local.conf
# My config, based on https://infosec.mozilla.org/guidelines/openssh.html Port 22 AddressFamily inet # Supported HostKey algorithms by order of preference. HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com PubkeyAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in. LogLevel VERBOSE # CANNOT REDEFINE NEXT: ssh says subsystem sftp is already defined # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. #Subsystem sftp /usr/lib/openssh/sftp-server -f AUTH -l INFO # Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: # # On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. # Additionally, only tools such as systemd and auditd record the process session id. # On other OSes, the user session id is not necessarily recorded at all kernel-side. # Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. PermitRootLogin No Banner /etc/banner
Перезапустити SSHD
sudo systemctl restart ssh
працює на Дебіан 11
software/os/linux/sshd.txt · Востаннє змінено: 2023/06/12 16:35 повз charon
Налаштування сторінки
Якщо не вказано інше, вміст цієї Вікі підпадає під дію такої ліцензії: GNU Free Documentation License 1.3
