ssh ciphers and various options

6 years ago · 3a6df16492
parent 88f6215e8b
commit 3a6df16492
2 changed files with 21 additions and 3 deletions
--- a/postconfig.sh
+++ b/postconfig.sh
@ -12,5 +12,3 @@ ipset restore < /config/hphr.ipset

 iptables-restore /config/hphr.rules.v4
 ip6tables-restore /config/hphr.rules.v6
-echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
-echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
--- a/vyos.conf.j2
+++ b/vyos.conf.j2
@ -741,7 +741,9 @@ policy {
            }
            action permit
            set {
-                ipv6-next-hop {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
+                ipv6-next-hop {
+                    global {{ salt['pillar.get']('protocols:static:blackhole:IPv6') }}
+                }
            }
        }
    }
@ -838,6 +840,9 @@ service {
    }
    ssh {
        listen-address {{ pillar['service']['ssh']['listen-address'] }}
+        ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        key-exchange curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+        mac hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    }
 }

@ -889,6 +894,21 @@ system {
 {% endfor %}
    }

+    options {
+        ctrl-alt-del-action ignore
+        reboot-on-panic true
+        beep-if-fully-booted
+    }
+
+    sysctl {
+        all net.ipv4.conf.all.rp_filter {
+            value 2
+        }
+        all net.ipv4.conf.default.rp_filter {
+            value 2
+        }
+    }
+
    syslog {
        global {
            facility all {