Initial commit

services/ssh/ssh.caddy

@@ -0,0 +1 @@
+test

services/ssh/ssh.policy.json

@@ -0,0 +1,12 @@
+{
+    "description": "Allow limited incoming SSH access (TCP/22)",
+    "filter": [
+        {
+            "in": "internet",
+            "out": "_fw",
+            "service": "ssh",
+            "action": "accept",
+	        "conn-limit": { "count": 3, "interval": 30 }
+        }
+    ]
+}

services/ssh/sshd_config

@@ -0,0 +1,25 @@
+# SSHD config. See https://man.openbsd.org/sshd_config
+# https://hackviser.com/tactics/hardening/ssh
+
+# Protocol 2 is more secure
+Protocol 2
+
+# No root login or passwords
+PermitRootLogin no
+PasswordAuthentication no
+AuthenticationMethods publickey
+
+# Allow tunneling, but not with option R (remote)
+AllowTcpForwarding local
+GatewayPorts yes
+
+# override default of no subsystems
+Subsystem	sftp	internal-sftp
+
+# Only allow users that are listed
+AllowUsers admin
+
+# Only allow secure ciphers
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,mlkem768x25519-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256,hmac-sha2-512

services/ssh/update.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+ln -sf ./sshd_config /etc/ssh/sshd_config