Add SSH hardening and kernel security configurations

- config/ssh/sshd_config_hardening: Enhanced SSH security settings - config/ssh/banner: Legal warning banner for SSH connections - config/sysctl/99-security.conf: Kernel network and memory protection parameters - Includes deployment instructions for system-level hardening
2025-09-12 20:38:21 +02:00
parent 9fbc311c2d
commit 5e714f4e45
3 changed files with 72 additions and 0 deletions
--- a/config/ssh/banner
+++ b/config/ssh/banner
@@ -0,0 +1,14 @@
+# SSH Login Banner
+# Deploy to: /etc/ssh/banner
+
+================================================================================
+                              AUTHORIZED ACCESS ONLY
+================================================================================
+
+This system is for authorized users only. All activity may be monitored and
+recorded. Unauthorized access is prohibited and will be prosecuted to the
+full extent of the law.
+
+If you are not an authorized user, disconnect immediately.
+
+================================================================================
--- a/config/ssh/sshd_config_hardening
+++ b/config/ssh/sshd_config_hardening
@@ -0,0 +1,22 @@
+# SSH Hardening Configuration
+# Deploy by appending to: /etc/ssh/sshd_config
+# 
+# Setup commands:
+#   sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
+#   sudo cat config/ssh/sshd_config_hardening >> /etc/ssh/sshd_config
+#   sudo sshd -t
+#   sudo systemctl restart sshd
+
+# Enhanced security settings
+ClientAliveInterval 300
+ClientAliveCountMax 2
+Compression no
+LogLevel VERBOSE
+MaxSessions 3
+TCPKeepAlive no
+X11Forwarding no
+AllowAgentForwarding no
+AllowTcpForwarding no
+GatewayPorts no
+PermitTunnel no
+Banner /etc/ssh/banner
--- a/config/sysctl/99-security.conf
+++ b/config/sysctl/99-security.conf
@@ -0,0 +1,36 @@
+# Kernel Security Parameters for Homelab
+# Deploy to: /etc/sysctl.d/99-security.conf
+# 
+# Setup commands:
+#   sudo cp config/sysctl/99-security.conf /etc/sysctl.d/
+#   sudo sysctl -p /etc/sysctl.d/99-security.conf
+
+# Network security
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_max_syn_backlog = 2048
+net.ipv4.tcp_syn_retries = 3
+net.ipv4.tcp_synack_retries = 3
+
+# IPv6 security (if enabled)
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+
+# Memory protection
+kernel.dmesg_restrict = 1
+kernel.kptr_restrict = 1
+kernel.yama.ptrace_scope = 1