I've been running internet-exposed NetBSD servers for few years now; usually I don't mind having remote shell access to them, as it's just too convenient. As a consequence, I was forced to strengthen the default sshd_config(5) auth policies, and opted for a passphrased ed25519 pubkey, in the attempt of holding attackers (which, looking at logs, are never lacking) back. I also have a cron script which weekly exports the IPs shown in blacklistctl dump -b
to the NPF's permanent blacklist. So far so good.
Yet I'm no admin and I would love to have some feedback and hear any recommendation from a seasoned UNIX professional.
That said, my sshd_config is structured as follows:
ListenAddress [ip-here]
Port [something between 1024 and 65536]
PidFile /var/run/sshd.pid
# Cryptographic policy
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-512-etm@openssh.com
RekeyLimit 1G 1300
# Logging
LogLevel VERBOSE
SyslogFacility AUTH
UseDNS no
# Authentication
PermitRootLogin no
StrictModes yes
UsePam no
AllowUsers [username]
MaxAuthTries 3
MaxSessions 2
PermitEmptyPasswords no
PasswordAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
LoginGraceTime 30
IgnoreUserKnownHosts yes
IgnoreRhosts yes
# Session
Banner /etc/ssh/sshd_banner
PrintLastLog yes
ClientAliveInterval 300
ClientAliveCountMax 0
MaxStartups 2
TCPKeepAlive yes
X11Forwarding no
# Port Forwarding
AllowTcpForwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
# Misc
AcceptEnv LANG LC_*
Subsystem sftp /usr/libexec/sftp-server -f AUTHPRIV -l INFO