Update Linux/SSH/README.md
This commit is contained in:
@@ -144,31 +144,59 @@ warn "Erstelle SSH-Konfigurationsdatei..."
|
||||
sudo tee $SSH_CONFIG_FILE > /dev/null <<EOL
|
||||
# SSHD Config – Maximale Sicherheit (Nur IPv4)
|
||||
|
||||
# Nur IPv4-Verbindungen
|
||||
AddressFamily inet
|
||||
|
||||
# Standardport (22), kann bei Bedarf geändert werden
|
||||
Port 22
|
||||
|
||||
# Nur Protokoll 2 zulassen (Protokoll 1 ist unsicher)
|
||||
Protocol 2
|
||||
|
||||
# Host-Schlüssel (nur moderne Schlüssel)
|
||||
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# Sichere Key Exchange-Algorithmen (Kex)
|
||||
KexAlgorithms curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group14-sha256
|
||||
|
||||
# Sichere Ciphers (Chiffren)
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
|
||||
|
||||
# Sichere MAC-Algorithmen
|
||||
MACs hmac-sha2-512,hmac-sha2-256
|
||||
|
||||
# Log-Einstellungen
|
||||
SyslogFacility AUTHPRIV
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Maximale Login-Wartezeit
|
||||
LoginGraceTime 30s
|
||||
|
||||
# Root-Login verbieten
|
||||
PermitRootLogin no
|
||||
|
||||
# Nur Schlüssel-Authentifizierung erlauben
|
||||
PubkeyAuthentication yes
|
||||
PasswordAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# PAM für zusätzliche Sicherheitsmodule verwenden
|
||||
UsePAM yes
|
||||
|
||||
# X11-Weiterleitung deaktivieren (falls nicht benötigt)
|
||||
X11Forwarding no
|
||||
|
||||
# Kein MOTD durch SSH (über PAM regeln)
|
||||
PrintMotd no
|
||||
|
||||
# Pfad zur Authorized Keys-Datei
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
# SFTP-Subsystem (Standard)
|
||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Inaktive SSH-Sitzungen überwachen und beenden
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
|
||||
|
||||
Reference in New Issue
Block a user