SSH Hardened Config
SSH Hardened Configuration – Templates
Fertige Konfigurationen für sichere SSH-Server.
Optimale sshd_config
# /etc/ssh/sshd_config
# Hardened SSH Server Configuration
# Backup vorher: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#===============================================
# NETZWERK
#===============================================
# Port ändern (Standard: 22)
Port 2222
# Nur IPv4 (oder inet6 für IPv6)
AddressFamily inet
# Auf allen Interfaces lauschen
ListenAddress 0.0.0.0
# Protocol 2 only (ist Standard in modernen OpenSSH)
Protocol 2
#===============================================
# AUTHENTIFIZIERUNG
#===============================================
# Root-Login komplett verbieten
PermitRootLogin no
# Nur Public-Key-Authentifizierung
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Passwort-Login deaktivieren
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
# Keyboard-Interactive (für 2FA)
# ChallengeResponseAuthentication yes
# AuthenticationMethods publickey,keyboard-interactive
# PAM aktivieren
UsePAM yes
#===============================================
# BENUTZER-EINSCHRÄNKUNGEN
#===============================================
# Nur bestimmte User erlauben (anpassen!)
AllowUsers admin deploy
# Oder Gruppen
# AllowGroups sshusers
# Bestimmte User sperren
# DenyUsers guest test
#===============================================
# VERBINDUNGS-LIMITS
#===============================================
# Zeit für Login
LoginGraceTime 30
# Max. Auth-Versuche
MaxAuthTries 3
# Max. Sessions pro Verbindung
MaxSessions 3
# Rate Limiting: start:rate:full
# Nach 10 unauth. Verbindungen: 30% Reject, ab 60: alle
MaxStartups 10:30:60
#===============================================
# TIMEOUT / KEEPALIVE
#===============================================
# Client alle 300 Sekunden pingen
ClientAliveInterval 300
# Nach 2 Misserfolgen trennen (= 10 Min Idle-Timeout)
ClientAliveCountMax 2
# TCP Keep-Alive
TCPKeepAlive yes
#===============================================
# FEATURES DEAKTIVIEREN
#===============================================
# X11-Forwarding (GUI)
X11Forwarding no
# Agent-Forwarding
AllowAgentForwarding no
# TCP-Forwarding (Tunnels)
AllowTcpForwarding no
# Tunnel-Device
PermitTunnel no
# User-Environment
PermitUserEnvironment no
# Gateway-Ports
GatewayPorts no
#===============================================
# KRYPTOGRAPHIE (Modern & Secure)
#===============================================
# Host Keys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Key-Exchange Algorithmen
KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# Ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
# Host Key Algorithmen
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com
#===============================================
# LOGGING
#===============================================
# Ausführliches Logging
LogLevel VERBOSE
# Syslog Facility
SyslogFacility AUTH
#===============================================
# SONSTIGES
#===============================================
# Keine DNS-Lookups (schneller)
UseDNS no
# Kompression deaktivieren
Compression no
# Banner anzeigen (optional)
# Banner /etc/ssh/banner.txt
# Strict Modes (Dateiberechtigungen prüfen)
StrictModes yes
# Print Last Log
PrintLastLog yes
# MOTD
PrintMotd no
# Subsystem SFTP
Subsystem sftp /usr/lib/openssh/sftp-server
Fail2Ban jail.local
# /etc/fail2ban/jail.local
[DEFAULT]
# Standard-Werte
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1
# Email-Benachrichtigung (optional)
# destemail = admin@example.com
# sender = fail2ban@example.com
# action = %(action_mwl)s
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = %(sshd_log)s
maxretry = 3
bantime = 3600
findtime = 600
# Aggressive Variante für wiederholte Angreifer
[sshd-aggressive]
enabled = true
port = 2222
filter = sshd
logpath = %(sshd_log)s
maxretry = 2
bantime = 86400
findtime = 3600
SSH Client Config
# ~/.ssh/config
# Globale Einstellungen
Host *
# Sicherheit
PasswordAuthentication no
IdentitiesOnly yes
# Performance
Compression yes
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600
# Keepalive
ServerAliveInterval 60
ServerAliveCountMax 3
# Server-Aliase
Host myserver
HostName 192.168.1.100
User admin
Port 2222
IdentityFile ~/.ssh/id_ed25519_server
Host webserver
HostName web.example.com
User deploy
Port 22
IdentityFile ~/.ssh/id_ed25519_deploy
Host jump
HostName bastion.example.com
User jumpuser
Port 2222
# Über Jump-Host verbinden
Host internal
HostName 10.0.0.50
User admin
ProxyJump jump
Setup-Script
#!/bin/bash
# SSH Hardening Setup Script
set -e
echo "=== SSH Hardening Setup ==="
# Backup
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d)
# Neue Host-Keys generieren (optional)
# rm /etc/ssh/ssh_host_*
# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
# ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ""
# Konfiguration testen
sshd -t
# Fail2Ban installieren
apt install -y fail2ban
# Fail2Ban konfigurieren
cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
EOF
# Dienste neu starten
systemctl restart fail2ban
systemctl restart sshd
echo "=== Setup abgeschlossen ==="
echo "WICHTIG: Teste die Verbindung in einem neuen Terminal!"
echo "ssh -p 2222 user@server"
Checkliste nach Installation
# 1. Syntax prüfen
sudo sshd -t
# 2. Dienst neu starten (NEUES TERMINAL OFFEN HALTEN!)
sudo systemctl restart sshd
# 3. Verbindung testen
ssh -v -p 2222 user@server
# 4. Fail2Ban Status
sudo fail2ban-client status sshd
# 5. Logs prüfen
journalctl -u sshd -n 20