summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGravatar Matthias Lucas Jaros <jarlucmat@mailbox.org>2025-11-14 22:04:04 +0100
committerGravatar Matthias Lucas Jaros <jarlucmat@mailbox.org>2025-11-14 22:04:04 +0100
commit2aa7c934e3c7282b42988703c40a6b0fab532076 (patch)
tree5d9f6d35a214f6720d01b3beec79c523989dd785 /src
parent9d4230738ae0adb0adc8ab28e5d9c369e79f5877 (diff)
ssh hardening due to lot of attacks
Diffstat (limited to 'src')
-rw-r--r--src/ssh.conf33
1 files changed, 24 insertions, 9 deletions
diff --git a/src/ssh.conf b/src/ssh.conf
index 7f11a9f..65beeb1 100644
--- a/src/ssh.conf
+++ b/src/ssh.conf
@@ -1,12 +1,33 @@
-# Security, we only want public key login for users and NOT for users root,git
+# NO ROOT
PermitRootLogin no
-PasswordAuthentication no
+
+# git user has access to all repos. no login allowed
+DenyUsers git
+
+# no login shell
+PermitTTY no
+
+# Force run script that checks for permissions and runs sudo
+ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
+
+# Only public key login is allowed
+# no password brute force
PubkeyAuthentication yes
+PasswordAuthentication no
AuthenticationMethods publickey
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
-PermitTTY no
+
+# no forwarding and tunneling
+AllowTcpForwarding no
AllowAgentForwarding no
+X11Forwarding no
+
+# Limit authentication tries to 1 per connection
+MaxAuthTries 1
+
+# Do not wait too long for authentication
+LoginGraceTime 10
# Point keys to shared data dir to avoid regenerating them each time
HostKey /var/ssh/etc/ssh/ssh_host_rsa_key
@@ -16,9 +37,3 @@ HostKey /var/ssh/etc/ssh/ssh_host_ed25519_key
# Logging
SyslogFacility AUTH
LogLevel INFO
-
-# Force run script that checks for permissions and runs sudo
-ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
-
-# git user has access to EVERYTHING. no login should be possible
-DenyUsers git