|
|
|
@ -47,20 +47,19 @@ cat <<-EOF > /etc/ssh/sshd_config |
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key |
|
|
|
HostKey /etc/ssh/ssh_host_ed25519_key |
|
|
|
HostKey /etc/ssh/ssh_host_rsa_key |
|
|
|
HostKey /etc/ssh/ssh_host_rsa_key |
|
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key |
|
|
|
HostKey /etc/ssh/ssh_host_ecdsa_key |
|
|
|
|
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 |
|
|
|
|
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
|
|
|
|
|
|
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
|
|
|
AcceptEnv LANG LC_* |
|
|
|
AcceptEnv LANG LC_* |
|
|
|
AllowGroups root sudo |
|
|
|
|
|
|
|
Banner /etc/issue.net |
|
|
|
Banner /etc/issue.net |
|
|
|
ChallengeResponseAuthentication no |
|
|
|
ChallengeResponseAuthentication no |
|
|
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr |
|
|
|
|
|
|
|
ClientAliveCountMax 0 |
|
|
|
ClientAliveCountMax 0 |
|
|
|
ClientAliveInterval 300 |
|
|
|
ClientAliveInterval 300 |
|
|
|
Compression no |
|
|
|
Compression no |
|
|
|
HostbasedAuthentication no |
|
|
|
HostbasedAuthentication no |
|
|
|
IgnoreUserKnownHosts yes |
|
|
|
IgnoreUserKnownHosts yes |
|
|
|
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 |
|
|
|
|
|
|
|
LoginGraceTime 20 |
|
|
|
LoginGraceTime 20 |
|
|
|
LogLevel VERBOSE |
|
|
|
LogLevel VERBOSE |
|
|
|
Macs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 |
|
|
|
|
|
|
|
MaxAuthTries 3 |
|
|
|
MaxAuthTries 3 |
|
|
|
MaxSessions 3 |
|
|
|
MaxSessions 3 |
|
|
|
MaxStartups 10:30:60 |
|
|
|
MaxStartups 10:30:60 |
|
|
|
@ -72,7 +71,7 @@ PermitUserEnvironment no |
|
|
|
PrintLastLog yes |
|
|
|
PrintLastLog yes |
|
|
|
PrintMotd no |
|
|
|
PrintMotd no |
|
|
|
StrictModes yes |
|
|
|
StrictModes yes |
|
|
|
Subsystem sftp internal-sftp |
|
|
|
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO |
|
|
|
UseDNS no |
|
|
|
UseDNS no |
|
|
|
UsePAM yes |
|
|
|
UsePAM yes |
|
|
|
X11Forwarding no |
|
|
|
X11Forwarding no |
|
|
|
@ -246,17 +245,17 @@ EOF |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
echo 'session optional pam_apparmor.so order=user,group,default' > /etc/pam.d/apparmor |
|
|
|
|
|
|
|
|
|
|
|
# Rsyslog enable log shipping to centralized syslog server |
|
|
|
# Rsyslog enable log shipping to centralized syslog server |
|
|
|
echo '*.* @@10.128.100.2:514' >> /etc/rsyslog.d/50-default.conf |
|
|
|
#echo '*.* @@10.128.100.2:514' >> /etc/rsyslog.d/50-default.conf |
|
|
|
|
|
|
|
|
|
|
|
# Disable IPv6 in UFW |
|
|
|
# Disable IPv6 in UFW |
|
|
|
sed -i "/ipv6=/Id" /etc/default/ufw |
|
|
|
sed -i "/ipv6=/Id" /etc/default/ufw |
|
|
|
echo "IPV6=no" | sudo tee -a /etc/default/ufw |
|
|
|
echo "IPV6=no" | sudo tee -a /etc/default/ufw |
|
|
|
|
|
|
|
|
|
|
|
# Enable UFW firewall |
|
|
|
# Enable UFW firewall |
|
|
|
ufw allow 22/tcp |
|
|
|
#ufw allow 22/tcp |
|
|
|
ufw allow 80/tcp |
|
|
|
#ufw allow 80/tcp |
|
|
|
ufw allow 443/tcp |
|
|
|
#ufw allow 443/tcp |
|
|
|
ufw enable |
|
|
|
#ufw enable |
|
|
|
|
|
|
|
|
|
|
|
# Enable Services |
|
|
|
# Enable Services |
|
|
|
systemctl enable auditd |
|
|
|
systemctl enable auditd |
|
|
|
|
