From d61cb64c7e74874b77f73f4355c6dd4c79097de1 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 28 Jan 2020 21:04:26 +0000 Subject: [PATCH] Harden SSH config --- ansible/roles/ssh/files/sshd_config | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/ssh/files/sshd_config b/ansible/roles/ssh/files/sshd_config index dcedda2..724faed 100644 --- a/ansible/roles/ssh/files/sshd_config +++ b/ansible/roles/ssh/files/sshd_config @@ -30,8 +30,8 @@ AuthenticationMethods publickey # Disable root SSH access PermitRootLogin no -# Client timeout (5 minutes) -ClientAliveInterval 300 +# Client timeout +ClientAliveInterval 600 ClientAliveCountMax 0 # Compression (only after authentication) @@ -58,9 +58,9 @@ Ciphers aes256-ctr,aes128-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-gcm@opens # Key Exchange algorithms (Elliptic Curve Diffie-Hellman) # DH-SHA-256 included for compat with PuTTY-WinCrypt clients -KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256@libssh.org +KexAlgorithms diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512 -# Don’t read the user’s ~/.rhosts and ~/.shosts files +# Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Disable unused authentication schemes @@ -74,7 +74,7 @@ UsePAM no # X11 support X11Forwarding no -# Don’t show Message of the Day +# Don't show Message of the Day PrintMotd yes # TCPKeepAlive (non-tunneled, disabled)