ssh.conf (1603B)
1 # NO ROOT 2 PermitRootLogin no 3 4 # git user has access to all repos. no login allowed 5 DenyUsers git 6 7 # no login shell 8 PermitTTY no 9 10 # Force run script that checks for permissions and runs sudo 11 ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND" 12 13 # Only public key login is allowed 14 # no password brute force 15 PubkeyAuthentication yes 16 PasswordAuthentication no 17 KbdInteractiveAuthentication no 18 19 # no forwarding and tunneling 20 DisableForwarding yes 21 PermitTunnel no 22 23 # ddos protection: default params here for clarity 24 # after 10 unauthenticated connections start dropping randomly 25 # with 30% chance new connections till 100 26 # then reject every new connection attempt 27 MaxStartups 10:30:100 28 29 # max 3 unauthenticated per IP 30 # disabled due to issues even with successfull git commands 31 #PerSourceMaxStartups 3 32 33 # Garbage collection of unauthenticated connections 34 LoginGraceTime 10 35 36 # Limit authentication tries per connection 37 MaxAuthTries 3 38 39 # penalties 40 # we are quite harsh here because bots usually annoy for multiple 41 # days with many requests, so let them accumulate it up to a day 42 # crash: someone trying to break ssh 43 # invaliduser: likely a bot 44 # grace-exceeded: also a bot 45 # noauth: can be a scanner 46 # authfail: might be user in case of wrong configuration 47 PerSourcePenalties max:1d crash:1d invaliduser:60s grace-exceeded:30s noauth:10s authfail:10s 48 49 # Point keys to shared data dir to avoid regenerating them each time 50 HostKey /var/ssh/etc/ssh/ssh_host_rsa_key 51 HostKey /var/ssh/etc/ssh/ssh_host_ecdsa_key 52 HostKey /var/ssh/etc/ssh/ssh_host_ed25519_key 53 54 # Logging 55 SyslogFacility AUTH 56 LogLevel INFO