diff --git a/config/files/server/usr/etc/ssh/sshd_config b/config/files/server/usr/etc/ssh/sshd_config deleted file mode 100644 index e9e3602..0000000 --- a/config/files/server/usr/etc/ssh/sshd_config +++ /dev/null @@ -1,130 +0,0 @@ -# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options override the -# default value. - -# To modify the system-wide sshd configuration, create a *.conf file under -# /etc/ssh/sshd_config.d/ which will be automatically included below -Include /etc/ssh/sshd_config.d/*.conf - -# If you want to change the port on a SELinux system, you have to tell -# SELinux about this change. -# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER -# -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key -#HostKey /etc/ssh/ssh_host_ed25519_key - -# Ciphers and keying -#RekeyLimit default none - -# Logging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin prohibit-password -#StrictModes yes -MaxAuthTries 3 -MaxSessions 2 - -#PubkeyAuthentication yes - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 -# but this is overridden so installations will only check .ssh/authorized_keys -AuthorizedKeysFile .ssh/authorized_keys - -#AuthorizedPrincipalsFile none - -#AuthorizedKeysCommand none -#AuthorizedKeysCommandUser nobody - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#KbdInteractiveAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no -#KerberosUseKuserok yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes -#GSSAPIStrictAcceptorCheck yes -#GSSAPIKeyExchange no -#GSSAPIEnablek5users no - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the KbdInteractiveAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via KbdInteractiveAuthentication may bypass -# the setting of "PermitRootLogin prohibit-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and KbdInteractiveAuthentication to 'no'. -# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -# problems. -#UsePAM no - -AllowAgentForwarding no -AllowTcpForwarding no -#GatewayPorts no -X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PermitTTY yes -#PrintMotd yes -#PrintLastLog yes -TCPKeepAlive no -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -ClientAliveCountMax 2 -#UseDNS no -#PidFile /var/run/sshd.pid -#MaxStartups 10:30:100 -#PermitTunnel no -#ChrootDirectory none -#VersionAddendum none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server diff --git a/config/files/server/usr/etc/ssh/sshd_config.d/99-hardening.conf b/config/files/server/usr/etc/ssh/sshd_config.d/99-hardening.conf new file mode 100644 index 0000000..e56e02a --- /dev/null +++ b/config/files/server/usr/etc/ssh/sshd_config.d/99-hardening.conf @@ -0,0 +1,23 @@ +# Only allow three auth attempts +MaxAuthTries 3 + +# Only allow two simultaneous sessions +MaxSessions 2 + +# Forbid agent forwarding +AllowAgentForwarding no + +# Forbid TCP forwarding +AllowTcpForwarding no + +# Forbid X11 forwarding +X11Forwarding no + +# Disable TCPKeepAlive +TCPKeepAlive no + +# Maximum number of client alive messages sent without response|| +ClientAliveCountMax 2 + +# Forbid sshing as root +PermitRootLogin no \ No newline at end of file diff --git a/config/files/usr/etc/security/limits.conf b/config/files/usr/etc/security/limits.conf deleted file mode 100644 index 9485a8e..0000000 --- a/config/files/usr/etc/security/limits.conf +++ /dev/null @@ -1,64 +0,0 @@ -# /etc/security/limits.conf -# -#This file sets the resource limits for the users logged in via PAM. -#It does not affect resource limits of the system services. -# -#Also note that configuration files in /etc/security/limits.d directory, -#which are read in alphabetical order, override the settings in this -#file in case the domain is the same or more specific. -#That means, for example, that setting a limit for wildcard domain here -#can be overridden with a wildcard setting in a config file in the -#subdirectory, but a user specific setting here can be overridden only -#with a user specific setting in the subdirectory. -# -#Each line describes a limit for a user in the form: -# -# -# -#Where: -# can be: -# - a user name -# - a group name, with @group syntax -# - the wildcard *, for default entry -# - the wildcard %, can be also used with %group syntax, -# for maxlogin limit -# -# can have the two values: -# - "soft" for enforcing the soft limits -# - "hard" for enforcing hard limits -# -# can be one of the following: -# - core - limits the core file size (KB) -# - data - max data size (KB) -# - fsize - maximum filesize (KB) -# - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open file descriptors -# - rss - max resident set size (KB) -# - stack - max stack size (KB) -# - cpu - max CPU time (MIN) -# - nproc - max number of processes -# - as - address space limit (KB) -# - maxlogins - max number of logins for this user -# - maxsyslogins - max number of logins on the system -# - priority - the priority to run user process with -# - locks - max number of file locks the user can hold -# - sigpending - max number of pending signals -# - msgqueue - max memory used by POSIX message queues (bytes) -# - nice - max nice priority allowed to raise to values: [-20, 19] -# - rtprio - max realtime priority -# -# -# - -#* soft core 0 -#* hard rss 10000 -#@student hard nproc 20 -#@faculty soft nproc 20 -#@faculty hard nproc 50 -#ftp hard nproc 0 -#@student - maxlogins 4 - -* hard core 0 -* soft core 0 - -# End of file diff --git a/config/files/usr/etc/security/limits.d/99-disable-coredump.conf b/config/files/usr/etc/security/limits.d/99-disable-coredump.conf new file mode 100644 index 0000000..7c3d541 --- /dev/null +++ b/config/files/usr/etc/security/limits.d/99-disable-coredump.conf @@ -0,0 +1,4 @@ +# Disable coredumps + +* hard core 0 +* soft core 0