blackstar2043B
blackstar2043@alien.top
Joined
0 posts • 4 comments
This is my current hardened sshd configuration.
ssh/sshd_config: https://pastebin.com/7tH36TdJ
- Public key authentication and 2fa using oathtool are used to authenticate.
- Logging in is only possible for members of the ‘ssh-user’ group.
- “root” login is disabled through “PermitRootLogin”, “DenyGroups”, and “DenyUsers”.
- “restricted” has the ability to log in from any host.
- “user” is limited to using the internal network to log in.
- ‘admin’ can only log in when connected via WireGuard.
- “sftp” may login, but only uses the sftp server. There is no shell available.
pam.d/sshd: https://pastebin.com/eqkisf4F
- All successful pre-2FA logins will trigger the ‘ssh-login-alert’, which sends an NTFY alert containing the time, date, user, and host IP.
- The use of /etc/users.deny prevents root login.
- The use of /etc/users.allowed permits login by “restricted”, “user”, “admin” and “sftp”.
- 2FA and ssh-login-alert trigger do not apply to “sftp”
To help with identifying issues within your SSHd configuration, I recommend using ssh-audit: https://github.com/jtesta/ssh-audit
If anonymity is your concern, then consider Monero (XMR) instead of BTC.