System services Secure Shell (SSH) 1000 SSH user/group access controls Allow user/group SSH access #include #include Deny user/group SSH access #include #include Allowed ciphers 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com (3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|rijndael-cbc@lysator.liu.se|aes128-ctr|aes192-ctr|aes256-ctr|aes128-gcm@openssh.com|aes256-gcm@openssh.com|chacha20-poly1305@openssh.com) Disable IP Address to Hostname lookup Disable password-based authentication Allow dynamic protection Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 u32:1-65535 Time interval in seconds for blocking 120 Remember source IP in seconds before reset their score u32:1-65535 Time interval in seconds 1800 Block source IP when their cumulative attack score exceeds threshold u32:1-65535 Threshold score 30 Always allow inbound connections from these systems ipv4 Address to match against ipv4net IPv4 address and prefix length ipv6 IPv6 address to match against ipv6net IPv6 address and prefix length Allowed key exchange (KEX) algorithms diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org (diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group14-sha256|diffie-hellman-group16-sha512|diffie-hellman-group18-sha512|diffie-hellman-group-exchange-sha1|diffie-hellman-group-exchange-sha256|ecdh-sha2-nistp256|ecdh-sha2-nistp384|ecdh-sha2-nistp521|curve25519-sha256|curve25519-sha256@libssh.org) #include Log level quiet fatal error info verbose quiet stay silent fatal log fatals only error log errors and fatals only info default log level verbose enable logging of failed login attempts (quiet|fatal|error|info|verbose) info Allowed message authentication code (MAC) algorithms hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com (hmac-sha1|hmac-sha1-96|hmac-sha2-256|hmac-sha2-512|hmac-md5|hmac-md5-96|umac-64@openssh.com|umac-128@openssh.com|hmac-sha1-etm@openssh.com|hmac-sha1-96-etm@openssh.com|hmac-sha2-256-etm@openssh.com|hmac-sha2-512-etm@openssh.com|hmac-md5-etm@openssh.com|hmac-md5-96-etm@openssh.com|umac-64-etm@openssh.com|umac-128-etm@openssh.com) Port for SSH service u32:1-65535 Numeric IP port 22 SSH session rekey limit Threshold data in megabytes u32:1-65535 Megabytes Threshold time in minutes u32:1-65535 Minutes Enable transmission of keepalives from server to client u32:1-65535 Time interval in seconds for keepalive message #include