Debian SSH hardening
Apply:
echo 'DebianBanner no' > /etc/ssh/sshd_config.d/debian_banner.conf cp /etc/ssh/sshd_config /etc/ssh/sshd_config.BAK sed -i -e 's/^X11Forwarding yes/#X11Forwarding yes/g' /etc/ssh/sshd_config echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config echo 'AllowAgentForwarding no' >> /etc/ssh/sshd_config echo 'AllowTcpForwarding no' >> /etc/ssh/sshd_config echo 'MaxAuthTries 3' >> /etc/ssh/sshd_config echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config echo 'PermitRootLogin no' >> /etc/ssh/sshd_config echo 'ClientAliveCountMax 0' >> /etc/ssh/sshd_config echo 'LoginGraceTime 60' >> /etc/ssh/sshd_config echo 'MaxStartups 10:30:60' >> /etc/ssh/sshd_config
Debian 9
echo 'KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config echo 'Ciphers [email protected],[email protected],aes256-ctr,aes128-ctr' >> /etc/ssh/sshd_config echo 'MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1' >> /etc/ssh/sshd_config
Debian 10
Debian 11
Networking
Edit /etc/sysctl.conf and add:
net.ipv4.icmp_echo_ignore_all=1 net.ipv4.ip_forward = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 5 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1