55 lines
1.6 KiB
Plaintext
55 lines
1.6 KiB
Plaintext
### SECURITY CHECKLIST
|
|
## - [X] Use standard port 22 for SSH
|
|
Port 22
|
|
|
|
## - [X] Require pubkey and then password authentication
|
|
AuthenticationMethods publickey,password
|
|
|
|
## - [ ] Disable root login
|
|
# FIXME-SECURITY(Krey): Brainstorm since we are using it for deployment
|
|
PermitRootLogin yes
|
|
|
|
## - [X] Require publickey authentification
|
|
PubkeyAuthentication yes
|
|
# SECURITY-WARNING(Krey): Do not use 'ssh-rsa' since that is using md5sum to verify the signature which is insecure!
|
|
PubkeyAcceptedKeyTypes rsa-sha2-512
|
|
# FIXME-SECURITY: There are methods that may require multiple layers of authentification -> Investigate
|
|
# FIXME: Invalid
|
|
#AuthentificationMethods publickey
|
|
# Just to ensure that ssh is usinc publickey at all cost
|
|
# FIXME: Invalid
|
|
#PreferredAuthentications publickey
|
|
|
|
## - [ ] Do not allow empty passwords
|
|
# FIXME: Invalid
|
|
#PermitEmptyPassowrds no
|
|
|
|
## - [X] Set Maximum connections attempts
|
|
# FIXME: Investigate fail2ban
|
|
# NOTICE(Krey): We are using publickey so this should be set to 1, if there is required a second attempt for pubkey authentication then there is something wrong going on
|
|
MaxAuthTries 1
|
|
|
|
## - [X] Set Maximum allowed sessions
|
|
MaxSessions 5
|
|
|
|
## - [ ] Disconnect the users after 5 minutes
|
|
# FIXME: Help-wanted
|
|
# ConnectTimeout ?
|
|
# ForwardX11Timeout ?
|
|
|
|
## - [ ] Add various counter-measures for brute-force attacks
|
|
# FIXME: Help-wanted
|
|
|
|
## - [ ] Disable X11
|
|
# FIXME: Invalid
|
|
#ForwardX11 no
|
|
|
|
## - [ ] Capture failed login attemps and implement remote logging to capture security issues
|
|
# FIXME: Help-wanted
|
|
|
|
## - [ ] Check integrity of critical files using checksum
|
|
# FIXME: Needs to be implemented
|
|
|
|
# Logging
|
|
# FIXME
|