An XCCDF Group - A logical subset of the XCCDF Benchmark
sshd
openssh-server
openssh-clients
$ sudo yum install openssh-clients
$ sudo yum install openssh-server
$ sudo yum erase openssh-server
$ sudo systemctl enable sshd.service
/etc/ssh/sshd_config
$ sudo chgrp root /etc/ssh/sshd_config
/etc/ssh/*_key
ssh_keys
/etc/ssh/*.pub
root
$ sudo chown root /etc/ssh/sshd_config
$ sudo chmod 0600 /etc/ssh/sshd_config
0600
0640
$ sudo chmod 0644 /etc/ssh/*.pub
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
~/.ssh
RekeyLimit
/etc/ssh/ssh_config.d/02-rekey-limit.conf
include
/etc/ssh/ssh_config
/etc/ssh/ssh_config.d
02-rekey-limit.conf
$ sudo ssh-keygen -n [passphrase]
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
firewalld
ssh
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
Include /etc/ssh/sshd_config.d/*.conf
/etc/ssh/sshd_config.d
UsePrivilegeSeparation
X11UseLocalhost
yes
X11UseLocalhost yes
netwk
mask
ip_protocol
firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'