Hardened SSHD configuration
I was using pub key authentication for a while but had not spent much time looking at sshd_config . I changed it to restrict IP ranges where applicable and to only use the most recent algorithms. Initial connection feels a bit faster.
Architecture
%%{
init: {
'theme': 'base',
'themeVariables': {
'fontSize': '16px',
'fontFamily': 'arial'
},
'flowchart': {
'htmlLabels': true,
'curve': 'basis'
}
}
}%%
graph TD
A[Internet] -->|ssh| B[My VPS Gateway]
B --> C{nftables}
C -->|ssh proxy jump, wireguard| D[My home firewall OpenWrt]
D -->|ssh proxy jump| E[Machines]
D -->|haproxy to metallb| F[Kubernetes k3s]
style A fill:#FFF2CC,stroke:#000000,stroke-width:2px
style B fill:#D4E5FF,stroke:#000000,stroke-width:2px
style C fill:#FFE6F2,stroke:#000000,stroke-width:2px
style D fill:#E6FFCC,stroke:#000000,stroke-width:2px
style E fill:#FFD9CC,stroke:#000000,stroke-width:2px
style F fill:#E6D9FF,stroke:#000000,stroke-width:2px
Config
# Hardened SSHD Configuration
# After modification run:
# sudo sshd -t
# sudo systemctl restart sshd
# General Settings
Port 22
# Use 'inet' for IPv4 only or 'inet6' for IPv6 only
AddressFamily inet
# Listens on all available network interfaces.
ListenAddress 0.0.0.0
# Uses only SSH Protocol version 2
Protocol 2
# Only use the most secure algorithms
HostKeyAlgorithms ssh-ed25519
KexAlgorithms curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
PrintMotd no
# Connection
# Allows to proxyjump without storing private keys on server
AllowAgentForwarding yes
# Allows tunnels
AllowTcpForwarding yes
ClientAliveCountMax 2
ClientAliveInterval 300
Compression no
# Allows forwarding ports from non localhost
GatewayPorts yes
# CVE-2024-6387
LoginGraceTime 0
# Disables tun device forwarding, preventing VPN-like functionality.
PermitTunnel no
# Prevents users from passing environment variables to the SSH daemon
PermitUserEnvironment no
# Enables SFTP using the more secure internal SFTP server.
Subsystem sftp internal-sftp
X11Forwarding no
# Authentication
# Home, Wireguard
AllowUsers *@192.168.1.0/24 *@10.10.10.0/24
AllowUsers *@VPS_GATEWAY_IP
AllowUsers my_user
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_ed25519_key
# Can be enabled if using OTP / 2FA
KbdInteractiveAuthentication no
# Limits the number of authentication attempts per connection
MaxAuthTries 3
# Limits the number of concurrent sessions
MaxSessions 5
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
UsePAM no
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# VPS Gateway differing settings
ListenAddress VPS_GATEWAY_IP
AllowUsers root
PermitRootLogin prohibit-password