Set SSH Client Alive Count Max to zero
An XCCDF Rule
Description
The SSH server sends at most ClientAliveCountMax
messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval
configures timeout after
each ClientAliveCountMax
message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
To ensure the SSH timeout occurs precisely when the
ClientAliveInterval
is set, set the ClientAliveCountMax
to
value of 0
in
/etc/ssh/sshd_config
:
Rationale
This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached.
- ID
- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find sshd_config included files
shell: |-
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*Include\s*//i' | sed -e 's|^[^/]|/etc/ssh/&|')
[[ -n $included_files ]] && ls $included_files || true
register: sshd_config_included_files
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Find the include keyword, extract from the line the glob expression representing included files.
# And if it is a relative path prepend '/etc/ssh/'
included_files=$(grep -oP "^\s*(?i)include.*" /etc/ssh/sshd_config | sed -e 's/\s*include\s*//I' | sed -e 's|^[^/]|/etc/ssh/&|')