Following config can provide higher security level while keeping some degree of compatibility and reduce configuration complexity.
WARNING: The following configuration is not compatible with all clients
# Change the port number avoid automated attack Port 2222 # Limit to SSH2 only (the default value) Protocol 2 # Use RSA and Ed25519 host key only HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Turn on Privilege Separation (should be on by default) UsePrivilegeSeparation sandbox # No root login, obvious PermitRootLogin no # Log the finger print of public key used to login, provide audit trails. Might take up more storage. LogLevel VERBOSE # 2 Factor Authentication. User must present a valid public key first, then enter the correct password to login AuthenticationMethods publickey,password # How fast you can type your password? LoginGraceTime 20 # Key Exchange KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 # Ciphers Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes128-ctr # MACs MACs [email protected],[email protected],[email protected], # Only allow specific group member login via SSH AllowGroups ssh-user # Renew encryption key every 30 minutes or 1 GB of transferred data (overkill & generate overhead, use with caution, especially on slow network) #RekeyLimit 1G 1800 Remove moduli under 3072 bits for security (Thanks Mozilla)
awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli The security can further improve with more tweaks such as firewall (iptables), fail2ban, Tor hidden service, switch to custom moduli and tcpwrapper, but those topics are out of scope in this answer. Note that the configuration is not completed, you might need other essential parts for the daemon to work. Remember to backup the original config file so you can roll back if any things goes wrong.
