blob: a703087c90bfbecccc0929ce66d70a3a91d7a1db (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# NO ROOT
PermitRootLogin no
# git user has access to all repos. no login allowed
DenyUsers git
# no login shell
PermitTTY no
# Force run script that checks for permissions and runs sudo
ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
# Only public key login is allowed
# no password brute force
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
# no forwarding and tunneling
DisableForwarding yes
PermitTunnel no
# ddos protection: default params here for clarity
# after 10 unauthenticated connections start dropping randomly
# with 30% chance new connections till 100
# then reject every new connection attempt
MaxStartups 10:30:100
# max 3 unauthenticated per IP
PerSourceMaxStartups 3
# Garbage collection of unauthenticated connections
LoginGraceTime 10
# Limit authentication tries per connection
MaxAuthTries 3
# penalties
# we are quite harsh here because bots usually annoy for multiple
# days with many requests, so let them accumulate it up to a day
PerSourcePenalties max:1d crash:1d grace-exceeded:30s noauth:10s authfail:10s
# Point keys to shared data dir to avoid regenerating them each time
HostKey /var/ssh/etc/ssh/ssh_host_rsa_key
HostKey /var/ssh/etc/ssh/ssh_host_ecdsa_key
HostKey /var/ssh/etc/ssh/ssh_host_ed25519_key
# Logging
SyslogFacility AUTH
LogLevel INFO
|