ssh ciphers and various options

master
Marek Isalski 6 years ago
parent 88f6215e8b
commit 3a6df16492

@ -12,5 +12,3 @@ ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4 iptables-restore /config/hphr.rules.v4
ip6tables-restore /config/hphr.rules.v6 ip6tables-restore /config/hphr.rules.v6
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

@ -741,7 +741,9 @@ policy {
} }
action permit action permit
set { set {
ipv6-next-hop {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }} ipv6-next-hop {
global {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
}
} }
} }
} }
@ -838,6 +840,9 @@ service {
} }
ssh { ssh {
listen-address {{ pillar['service']['ssh']['listen-address'] }} listen-address {{ pillar['service']['ssh']['listen-address'] }}
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
key-exchange curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
} }
} }
@ -889,6 +894,21 @@ system {
{% endfor %} {% endfor %}
} }
options {
ctrl-alt-del-action ignore
reboot-on-panic true
beep-if-fully-booted
}
sysctl {
all net.ipv4.conf.all.rp_filter {
value 2
}
all net.ipv4.conf.default.rp_filter {
value 2
}
}
syslog { syslog {
global { global {
facility all { facility all {

Loading…
Cancel
Save