CSEC_PUBLIC/How-To-Secure-A-Linux-Server
1
0
Fork 0
mirror of https://github.com/imthenachoman/How-To-Secure-A-Linux-Server.git synced 2026-03-23 21:12:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update SSH client alive settings in README

Browse Source 
Fix SSH ClientAlive settings and add TCPKeepAlive justification 

- Change ClientAliveCountMax example from 0 to 3 (OpenSSH default and CIS benchmark recommended). A value of 0 disables connection termination entirely, allowing   dead sessions to persist indefinitely (resource exhaustion risk). 

- Change ClientAliveInterval example from 300 to 15. With CountMax 3, unresponsive clients now disconnect after ~45s. (CIS benchmark recommended) 

- Add comment explaining why TCPKeepAlive is set to no (spoofable, runs outside the encrypted channel unlike ClientAlive). 

- Update sshd -T example output to reflect new values. 

Closes #103
This commit is contained in:
moltenbit
2026-03-05 14:25:15 +01:00
committed by GitHub
parent 7f575e6284
commit 5abb8c77cf
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -574,7 +574,11 @@ SSH is a door into your server. This is especially true if you are opening ports
UseDNS yes
Compression no
# TCP keepalive is spoofable (runs outside the encrypted channel)
# Use ClientAlive instead (runs inside the encrypted channel)
TCPKeepAlive no
AllowAgentForwarding no
PermitRootLogin no
@@ -595,8 +599,8 @@ SSH is a door into your server. This is especially true if you are opening ports
|Setting|Valid Values|Example|Description|Notes|
|--|--|--|--|--|
|<a name="AllowGroups"></a>**AllowGroups**|local UNIX group name|`AllowGroups sshusers`|group to allow SSH access to||
|**ClientAliveCountMax**|number|`ClientAliveCountMax 0`|maximum number of client alive messages sent without response||
|**ClientAliveInterval**|number of seconds|`ClientAliveInterval 300`|timeout in seconds before a response request||
|**ClientAliveCountMax**|number|`ClientAliveCountMax 3`|maximum number of client alive messages sent without response||
|**ClientAliveInterval**|number of seconds|`ClientAliveInterval 15`|timeout in seconds before a response request||
|**ListenAddress**|space separated list of local addresses|<ul><li>`ListenAddress 0.0.0.0`</li><li>`ListenAddress 192.168.1.100`</li></ul>|local addresses `sshd` should listen on|See [Issue #1](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/1) for important details.|
|**LoginGraceTime**|number of seconds|`LoginGraceTime 30`|time in seconds before login times-out||
|**MaxAuthTries**|number|`MaxAuthTries 2`|maximum allowed attempts to login||
@@ -635,8 +639,8 @@ SSH is a door into your server. This is especially true if you are opening ports
> x11displayoffset 10
> maxauthtries 2
> maxsessions 2
> clientaliveinterval 300
> clientalivecountmax 0
> clientaliveinterval 15
> clientalivecountmax 3
> streamlocalbindmask 0177
> permitrootlogin no
> ignorerhosts yes