Skip to main content
SSH Daemon Configuration Hardening
Overview

SSH Daemon Configuration Hardening

1 min read

The real hardening happens in /etc/ssh/sshd_config.

Terminal window
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%F)
sudo nano /etc/ssh/sshd_config

Production Configuration

Terminal window
# Network Settings
Port 2222
AddressFamily inet
ListenAddress 0.0.0.0


# Authentication
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes


# Key Types (ED25519 preferred)
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256


# Limit user access
AllowUsers deployer sysadmin
# AllowGroups ssh-users


# Session Settings
MaxAuthTries 3
MaxSessions 2
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2


# Disable Dangerous Features
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no


# Logging
SyslogFacility AUTH
LogLevel VERBOSE


# Modern Cryptography (2025)
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com


# Security
HostbasedAuthentication no
IgnoreRhosts yes

Validate and Restart

Terminal window
sudo sshd -t
sudo systemctl restart sshd
sudo systemctl status sshd
Danger

Keep your current session open. Open a new terminal and test the connection before closing the original.

Update Firewall

Terminal window
# UFW (Ubuntu/Debian)
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo ufw reload


# firewalld (RHEL/CentOS)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Next Steps

Proceed to the Two-Factor Authentication guide.

Share this post

Share on Twitter/X Share on LinkedIn Share on Reddit Share on Facebook