Initial commit

services/ssh/sshd_config

@@ -0,0 +1,25 @@
+# SSHD config. See https://man.openbsd.org/sshd_config
+# https://hackviser.com/tactics/hardening/ssh
+
+# Protocol 2 is more secure
+Protocol 2
+
+# No root login or passwords
+PermitRootLogin no
+PasswordAuthentication no
+AuthenticationMethods publickey
+
+# Allow tunneling, but not with option R (remote)
+AllowTcpForwarding local
+GatewayPorts yes
+
+# override default of no subsystems
+Subsystem	sftp	internal-sftp
+
+# Only allow users that are listed
+AllowUsers admin
+
+# Only allow secure ciphers
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,mlkem768x25519-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs hmac-sha2-256,hmac-sha2-512