From 87997bd1f44391460cb9ca6e4f2a934a3fa34992 Mon Sep 17 00:00:00 2001
From: Emmanuel CARRE <emmanuelCarre@users.noreply.github.com>
Date: Mon, 15 Jun 2020 07:26:59 +0200
Subject: [PATCH 1/2] Add max_startup parameter

Signed-off-by: Emmanuel CARRE <emmanuelCarre@users.noreply.github.com>
---
 README.md                           | 3 ++-
 attributes/default.rb               | 1 +
 templates/default/opensshd.conf.erb | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 18ab869..20b9392 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,8 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['use_privilege_separation']` - `nil` to calculate the best value based on server version, otherwise set `true` or `false`
 * `['ssh-hardening']['ssh']['server']['login_grace_time']` - `30s`. Time in which the login should be successfully, otherwise the user is disconnected.
 * `['ssh-hardening']['ssh']['server']['max_auth_tries']` - `2`. The number of authentication attempts per connection
-* `['ssh-hardening']['ssh']['server']['max_sessions']` - `10` The number of sessions per connection
+* `['ssh-hardening']['ssh']['server']['max_sessions']` - `10`. The number of sessions per connection
+* `['ssh-hardening']['ssh']['server']['max_startups']` - `10:30:100`. The maximum number of concurrent unauthenticated connections to the SSH daemon.
 * `['ssh-hardening']['ssh']['server']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
 * `['ssh-hardening']['ssh']['server']['log_level']` - `verbose`. The log level of sshd. See `LogLevel` in `man 5 sshd_config` for possible values.
 * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
diff --git a/attributes/default.rb b/attributes/default.rb
index 3d5fdbc..e5c800b 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -113,6 +113,7 @@
   server['login_grace_time']         = '30s'
   server['max_auth_tries']           = 2
   server['max_sessions']             = 10
+  server['max_startups']             = '10:30:100'
   server['password_authentication']  = false
   server['log_level']                = 'verbose'
   server['accept_env']               = ['LANG', 'LC_*', 'LANGUAGE']
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
index 69cca58..5bb6e34 100644
--- a/templates/default/opensshd.conf.erb
+++ b/templates/default/opensshd.conf.erb
@@ -95,7 +95,7 @@ PermitUserEnvironment no
 LoginGraceTime <%= @node['ssh-hardening']['ssh']['server']['login_grace_time'] %>
 MaxAuthTries <%= @node['ssh-hardening']['ssh']['server']['max_auth_tries'] %>
 MaxSessions <%= @node['ssh-hardening']['ssh']['server']['max_sessions'] %>
-MaxStartups 10:30:100
+MaxStartups <%= @node['ssh-hardening']['ssh']['server']['max_startups'] %>
 
 # Enable public key authentication
 PubkeyAuthentication yes

From 83403f145e5d8990de76d973ddd7d0610b23cab5 Mon Sep 17 00:00:00 2001
From: Brian Dwyer <Brian.Dwyer@broadridge.com>
Date: Wed, 13 Jan 2021 12:00:46 -0500
Subject: [PATCH 2/2] reduce max startups in accordance with current cis
 benchmark ref: https://github.com/dev-sec/ssh-baseline/pull/186

Signed-off-by: Brian Dwyer <Brian.Dwyer@broadridge.com>
---
 README.md             | 2 +-
 attributes/default.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 20b9392..a5a764e 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['login_grace_time']` - `30s`. Time in which the login should be successfully, otherwise the user is disconnected.
 * `['ssh-hardening']['ssh']['server']['max_auth_tries']` - `2`. The number of authentication attempts per connection
 * `['ssh-hardening']['ssh']['server']['max_sessions']` - `10`. The number of sessions per connection
-* `['ssh-hardening']['ssh']['server']['max_startups']` - `10:30:100`. The maximum number of concurrent unauthenticated connections to the SSH daemon.
+* `['ssh-hardening']['ssh']['server']['max_startups']` - `10:30:60`. The maximum number of concurrent unauthenticated connections to the SSH daemon.
 * `['ssh-hardening']['ssh']['server']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
 * `['ssh-hardening']['ssh']['server']['log_level']` - `verbose`. The log level of sshd. See `LogLevel` in `man 5 sshd_config` for possible values.
 * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
diff --git a/attributes/default.rb b/attributes/default.rb
index e5c800b..6bd9418 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -113,7 +113,7 @@
   server['login_grace_time']         = '30s'
   server['max_auth_tries']           = 2
   server['max_sessions']             = 10
-  server['max_startups']             = '10:30:100'
+  server['max_startups']             = '10:30:60'
   server['password_authentication']  = false
   server['log_level']                = 'verbose'
   server['accept_env']               = ['LANG', 'LC_*', 'LANGUAGE']