Server Configuration Templates

2 min read Data Protection & Compliance

Server Configuration Templates

Different server roles require tailored SSH configurations. Creating role-specific templates ensures consistent security while meeting operational requirements.

High-security server template:

# /etc/ssh/sshd_config.high-security
# Template for high-security servers

# Network settings
Port 22
AddressFamily inet
ListenAddress 0.0.0.0

# Host keys (only secure algorithms)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Authentication
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AuthenticationMethods publickey,keyboard-interactive

# User restrictions
AllowGroups ssh-secure
MaxAuthTries 2
MaxSessions 3
LoginGraceTime 30

# Cryptography settings (paranoid mode)
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected]
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256

# Strict security settings
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitUserEnvironment no
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
DebianBanner no
PrintMotd no

# Logging
SyslogFacility AUTH
LogLevel VERBOSE

# Session settings
ClientAliveInterval 300
ClientAliveCountMax 0
TCPKeepAlive yes
UseDNS no

# Banner
Banner /etc/ssh/security-banner.txt

Development server template with relaxed settings:

# /etc/ssh/sshd_config.development
# Template for development servers

# Basic settings
Port 22
Protocol 2

# Authentication (more permissive)
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication yes  # Allow during initial setup
AuthenticationMethods publickey password

# Development conveniences
AllowAgentForwarding yes
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PermitTunnel yes

# User access
AllowGroups developers ssh-users
MaxAuthTries 6
MaxSessions 10

# Relaxed timeouts for long-running processes
ClientAliveInterval 120
ClientAliveCountMax 3
LoginGraceTime 120

# Subsystems
Subsystem sftp /usr/lib/openssh/sftp-server