ssh ciphers and various options

master
Marek Isalski 6 years ago
parent 88f6215e8b
commit 3a6df16492

@ -12,5 +12,3 @@ ipset restore < /config/hphr.ipset
iptables-restore /config/hphr.rules.v4
ip6tables-restore /config/hphr.rules.v6
echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

@ -741,7 +741,9 @@ policy {
}
action permit
set {
ipv6-next-hop {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
ipv6-next-hop {
global {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
}
}
}
}
@ -838,6 +840,9 @@ service {
}
ssh {
listen-address {{ pillar['service']['ssh']['listen-address'] }}
ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
key-exchange curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
}
}
@ -889,6 +894,21 @@ system {
{% endfor %}
}
options {
ctrl-alt-del-action ignore
reboot-on-panic true
beep-if-fully-booted
}
sysctl {
all net.ipv4.conf.all.rp_filter {
value 2
}
all net.ipv4.conf.default.rp_filter {
value 2
}
}
syslog {
global {
facility all {

Loading…
Cancel
Save