@blackstar2043 - eviltoast
  • 0 Posts
  • 4 Comments
Joined 1 year ago
cake
Cake day: November 26th, 2023

help-circle
  • This is my current hardened sshd configuration.

    ssh/sshd_config: https://pastebin.com/7tH36TdJ

    • Public key authentication and 2fa using oathtool are used to authenticate.
    • Logging in is only possible for members of the ‘ssh-user’ group.
    • “root” login is disabled through “PermitRootLogin”, “DenyGroups”, and “DenyUsers”.
    • “restricted” has the ability to log in from any host.
    • “user” is limited to using the internal network to log in.
    • ‘admin’ can only log in when connected via WireGuard.
    • “sftp” may login, but only uses the sftp server. There is no shell available.

    pam.d/sshd: https://pastebin.com/eqkisf4F

    • All successful pre-2FA logins will trigger the ‘ssh-login-alert’, which sends an NTFY alert containing the time, date, user, and host IP.
    • The use of /etc/users.deny prevents root login.
    • The use of /etc/users.allowed permits login by “restricted”, “user”, “admin” and “sftp”.
    • 2FA and ssh-login-alert trigger do not apply to “sftp”