mirror of https://github.com/ovh/the-bastion
Stéphane Lesimple
6 years ago
parent
09bd6dffd9
commit
234dd0768a
@ -0,0 +1,114 @@
|
||||
# Hardened SSH bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With modifications where applicable/needed
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
# mitigates CVE-0216-0778
|
||||
UseRoaming no
|
||||
# other unwanted features
|
||||
Tunnel no
|
||||
ForwardAgent no
|
||||
ForwardX11 no
|
||||
GatewayPorts no
|
||||
ControlMaster no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
# for older remote servers (or esoteric hardware), we might need to add: aes256-cbc,aes192-cbc,aes128-cbc
|
||||
# known gotchas:
|
||||
# - BSD (https://lists.freebsd.org/pipermail/freebsd-bugs/2013-June/053005.html) needs aes256-gcm@openssh.com,aes128-gcm@openssh.com DISABLED
|
||||
# - Old Cisco IOS (such as v12.2) only supports aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older remote servers, fallback to the non-etm version of
|
||||
# the algorithms. we deny md5 entirely.
|
||||
# for older remote servers (or esoteric hardware), we might need to add: hmac-sha1
|
||||
# Known gotchas:
|
||||
# - Old Cisco IOS (such as v12.2) only supports hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
# known gotchas:
|
||||
# - Windows needs diffie-hellman-group14-sha1 and also needs to NOT have diffie-hellman-group-exchange-sha1 present in the list AT ALL
|
||||
# - OmniOS 5.11 needs diffie-hellman-group1-sha1
|
||||
# - Old Cisco IOS (such as v12.2) only supports diffie-hellman-group1-sha1
|
||||
# - Ancient Debians (Sarge) and RedHats (7) only support diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password nor keyboard-interactive
|
||||
# ... (set to yes if sshpass is to be used)
|
||||
PasswordAuthentication no
|
||||
# ChallengeResponseAuthentication=yes forces KbdInteractiveAuthentication=yes in the openssh code!
|
||||
ChallengeResponseAuthentication yes
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
# now we specify the auth methods order we want for manual ssh calls.
|
||||
# NOTE1: as per the ssh source code, an auth method omitted hereafter
|
||||
# will not be used, even if set to "yes" above.
|
||||
# NOTE2: the bastion code (namely, ttyrec), will always set the proper
|
||||
# value explicitly on command-line (pubkey OR sshpass), so the value
|
||||
# specified hereafter will be ignored. if you want to force-disable
|
||||
# a method, set it to "no" in the list above, as those will never be
|
||||
# overridden by the code.
|
||||
PreferredAuthentications publickey,keyboard-interactive
|
||||
|
||||
# === LOGIN ###
|
||||
|
||||
# disable escape character use
|
||||
EscapeChar none
|
||||
|
||||
# detect if a hostkey changed due to DNS spoofing
|
||||
CheckHostIP yes
|
||||
|
||||
# ignore ssh-agent, only use specified keys (-i)
|
||||
IdentitiesOnly yes
|
||||
# disable auto-lookup of ~/.ssh/id_rsa ~/.ssh/id_ecdsa etc.
|
||||
IdentityFile /dev/non/existent/file
|
||||
|
||||
# carry those vars to the other side (includes LC_BASTION)
|
||||
SendEnv LANG LC_*
|
||||
|
||||
# allow usage of SSHFP DNS records
|
||||
VerifyHostKeyDNS ask
|
||||
|
||||
# yell if remote hostkey changed
|
||||
StrictHostKeyChecking ask
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# don't hash the users known_hosts files, in the context of a bastion, this adds no security
|
||||
HashKnownHosts no
|
||||
|
||||
# send an ssh ping each 57 seconds to the client and disconnect after 5 no-replies
|
||||
ServerAliveInterval 57
|
||||
ServerAliveCountMax 5
|
||||
@ -0,0 +1,136 @@
|
||||
# Hardened SSHD bastion config -- modify wisely!
|
||||
# Based on https://wiki.mozilla.org/Security/Guidelines/OpenSSH
|
||||
# With additional restrictions where applicable
|
||||
|
||||
# -lo and -rt users only have local console login
|
||||
DenyUsers *-rt
|
||||
DenyUsers *-lo
|
||||
|
||||
# hardened params follow. every non-needed feature is disabled by default,
|
||||
# following the principle of least rights and least features (more enabled
|
||||
# features mean a more important attack surface).
|
||||
|
||||
# === FEATURES ===
|
||||
|
||||
# disable non-needed sshd features
|
||||
AllowAgentForwarding no
|
||||
AllowTcpForwarding no
|
||||
AllowStreamLocalForwarding no
|
||||
X11Forwarding no
|
||||
PermitTunnel no
|
||||
PermitUserEnvironment no
|
||||
PermitUserRC no
|
||||
GatewayPorts no
|
||||
|
||||
# === INFORMATION DISCLOSURE ===
|
||||
|
||||
# however, display a legal notice for each connection
|
||||
Banner /etc/ssh/banner
|
||||
|
||||
# don't print the bastion MOTD on connection
|
||||
PrintMotd no
|
||||
|
||||
# === CRYPTOGRAPHY ===
|
||||
|
||||
# enforce the use of ssh version 2 protocol, version 1 is disabled.
|
||||
# all sshd_config options regarding protocol 1 are therefore omitted.
|
||||
Protocol 2
|
||||
|
||||
# only use hostkeys with secure algorithms, and omit the ones using NIST curves
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
|
||||
# list of allowed ciphers.
|
||||
# chacha20-poly1305 is a modern cipher, considered very secure
|
||||
# aes is still the standard, we prefer gcm cipher mode, but also
|
||||
# allow ctr cipher mode for compatibility (ctr is still considered secure)
|
||||
# we deny arcfour(rc4), 3des, blowfish and cast
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
|
||||
# list of allowed message authentication code algorithms.
|
||||
# etm (encrypt-then-mac) are considered the more secure, we
|
||||
# prefer umac (has been proven secure) then sha2.
|
||||
# for older ssh client, fallback to the non-etm version of
|
||||
# the algorithms.
|
||||
# we deny md5 and sha1
|
||||
MACs umac-128-etm@openssh.com,umac-64-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# List of allowed key exchange algorithms.
|
||||
# we prefer curve25519-sha256 which is considered the most modern/secure,
|
||||
# and still allow diffie hellman with group exchange using sha256 which is
|
||||
# the most secure dh-based kex.
|
||||
# we avoid algorithms based on the disputed NIST curves, and anything based
|
||||
# on sha1.
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
|
||||
# force rekey every 512M of data or 6 hours of connection, whichever comes first
|
||||
RekeyLimit 512M 6h
|
||||
|
||||
# === AUTHENTICATION ===
|
||||
|
||||
# we allow only public key authentication ...
|
||||
PubkeyAuthentication yes
|
||||
# ... not password
|
||||
PasswordAuthentication no
|
||||
# ... keyboard interactive (needed for MFA through PAM)
|
||||
KbdInteractiveAuthentication yes
|
||||
# ... not kerberos
|
||||
KerberosAuthentication no
|
||||
# ... challenge-response (needed for MFA through PAM)
|
||||
ChallengeResponseAuthentication yes
|
||||
# ... not host-based
|
||||
HostbasedAuthentication no
|
||||
|
||||
# just in case, we also explicitly deny empty passwords
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# this needs to be set at "yes" to allow PAM keyboard-interactive authentication,
|
||||
# which is not a security issue because the AuthenticationMethods below force the use of
|
||||
# either publickey or publickey+keyboard-interactive, hence password-only login is never
|
||||
# possible, for root or any other account for that matter
|
||||
PermitRootLogin yes
|
||||
|
||||
# === LOGIN ===
|
||||
|
||||
# disconnect after 30 seconds if user didn't log in successfully
|
||||
LoginGraceTime 30
|
||||
|
||||
# not more than 1 session per network connection (connection sharing with ssh client's master/shared mode)
|
||||
MaxSessions 1
|
||||
|
||||
# maximum concurrent unauth connections to the sshd daemon
|
||||
MaxStartups 50:30:500
|
||||
|
||||
# accept LANG and LC_* vars (also includes LC_BASTION)
|
||||
AcceptEnv LANG LC_*
|
||||
|
||||
# === SYSTEM ===
|
||||
|
||||
# sshd log level at verbose in auth facility for auditing purposes
|
||||
LogLevel VERBOSE
|
||||
SyslogFacility AUTH
|
||||
|
||||
# check sanity of user HOME dir before allowing user to login
|
||||
StrictModes yes
|
||||
|
||||
# never use dns (slows down connections)
|
||||
UseDNS no
|
||||
|
||||
# use PAM facility
|
||||
UsePAM yes
|
||||
|
||||
# === AuthenticationMethods vs potential root OTP vs potential user MFA ===
|
||||
# 2FA has been configured for root, so we force pubkey+PAM for it
|
||||
#Match User root
|
||||
# AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# Unconditionally skip PAM auth for members of the bastion-nopam group
|
||||
Match Group bastion-nopam
|
||||
AuthenticationMethods publickey
|
||||
# if in one of the mfa groups, use pam
|
||||
Match Group mfa-totp-configd
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
Match Group mfa-password-configd
|
||||
AuthenticationMethods publickey,keyboard-interactive:pam
|
||||
# by default, always ask the publickey (no PAM)
|
||||
Match All
|
||||
AuthenticationMethods publickey
|
||||
Loading…
Reference in new issue