Basic Configuration

See OpenSSH Documentation.

Generate Certificates before starting.

Authorized Key Files

Create secured user certificate and directory.
cat {USER}.pub > /etc/ssh/authorized_keys/{USER}
chmod 0755 /etc/ssh/authorized_keys
chmod 0644 /etc/ssh/authorized_keys/{USER}
chown root:root -R /etc/ssh/authorized_keys

Secure SSHD Config

This will provide a default configuration which only allows non-root public key authenticated users to login, chrooted (locked) to /data; and disabling forwarding of all traffic. Public keys are setup to use /etc/authorized_keys/{USER} for authenticating the user.

0644 root root /etc/ssh/sshd_config
# See the sshd_config(5) manpage for details

Port 22
Protocol 2
HostKey /etc/ssh/keys/ssh_host_rsa_key
HostKey /etc/ssh/keys/ssh_host_dsa_key
HostKey /etc/ssh/keys/ssh_host_ecdsa_key
HostKey /etc/ssh/keys/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
PubkeyAuthentication yes
# Container start scripts check this location.
AuthorizedKeysFile /etc/authorized_keys/%u
IgnoreRhosts yes
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding no
PrintMotd no
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp
UseDNS no

AllowUsers {USER}

AllowAgentForwarding no
StreamLocalBindUnlink yes
AllowTCPForwarding no
GatewayPorts no
ForceCommand internal-sftp
ChrootDirectory /data

Fail2Ban Config

Setup fail2ban for System before starting.

0644 root root /data/jail.d/docker-sshd.conf
enabled  = true
port     = ssh
filter   = sshd[mode=aggressive]
logpath  = /var/log/syslog
bantime  = -1
findtime = 86400
maxretry = 5
  • Restart f2b-system.

  • Assumes /var/log/syslog is mounted to /var/log/syslog read-only on f2b-system.

  • Attempt an invalid SSH login and watch the docker logs to see if SSH is getting properly identified docker logs f2b-system.