An XCCDF Group - A logical subset of the XCCDF Benchmark
/etc/ssh/sshd_config
sshd_config(5)
ClientAliveCountMax
ClientAliveInterval
0
ClientAliveInterval * ClientAliveCountMax
.rhosts
HostbasedAuthentication
HostbasedAuthentication no
firewalld
ssh
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
Protocol 2
Compression
PermitEmptyPasswords
PermitEmptyPasswords no
GSSAPIAuthentication
GSSAPIAuthentication no
KerberosAuthentication
KerberosAuthentication no
PubkeyAuthentication no
IgnoreRhosts
IgnoreRhosts yes
RhostsRSAAuthentication no
PermitRootLogin no
PermitRootLogin prohibit-password
AllowTcpForwarding
AllowTcpForwarding no
IgnoreUserKnownHosts yes
X11Forwarding
X11Forwarding no
PermitUserEnvironment
PermitUserEnvironment no
GSSAPIAuthentication yes
UsePAM yes
PubkeyAuthentication
PubkeyAuthentication yes
StrictModes
.ssh
StrictModes yes
Banner /etc/issue
Banner /etc/issue.net
X11Forwarding yes
PrintLastLog
PrintLastLog yes
RekeyLimit
LoginGraceTime
LogLevel
LogLevel INFO
VERBOSE
LogLevel VERBOSE
MaxAuthTries
MaxSessions
MaxStartups
UsePrivilegeSeparation
netwk
mask
ip_protocol
firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'