OpenSSH Server Configuration for Secure Remote Access
Learn how to configure OpenSSH server for secure remote access, including settings for authentication, access control, and encryption, ensuring a robust and secure SSH environment.
Minimal hardened sshd_config
# /etc/ssh/sshd_config
# Listen settings (keep 22 unless you have a reason to change it)
Port 22
Protocol 2
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
# Host keys (paths vary by distro; these are common)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Authentication: keys only
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
# Disable direct root login
PermitRootLogin no
# Limit who can log in (recommended)
AllowUsers <youruser>
# Reduce attack surface
X11Forwarding no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
PermitUserEnvironment no
# Tighten timeouts / limits
LoginGraceTime 30
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
# Crypto: prefer modern algorithms (generally safe on recent OpenSSH)
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Logging
LogLevel VERBOSE
# SFTP subsystem (keep enabled if you need SFTP)
Subsystem sftp /usr/lib/openssh/sftp-server