playbooks/server-setup/roles/harden-openssh/files/harden.conf

# Hardened SSHD config
# Reference: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04
# See the sshd_config(5) manpage for details


## Authentication

# Enable public key authentication
PubkeyAuthentication yes

# Disable PAM (when enabled, it can improperly allow access to locked accounts)
# For more info, see https://arlimus.github.io/articles/usepam/
UsePAM no

# Disable password authentication
PasswordAuthentication no

# Disable rhosts authentication
IgnoreRhosts yes

# Disable challenge-response authentication
ChallengeResponseAuthentication no

# Disable kerberos authentication
KerberosAuthentication no


## Login

# Disable root login
PermitRootLogin no

# Disallow empty passwords
PermitEmptyPasswords no

# Set maximum authentication attempts, prevent brute-force attacks
MaxAuthTries 3

# Restrict authentication time between connect and auth
LoginGraceTime 20

# Use DNS hostname checking
UseDNS yes


## Security

# Disable X11 forwarding
X11Forwarding no

# Disable environment variable passing
PermitUserEnvironment no

# Disable forwarding/tunneling
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

# Deny vulnerable SSH protocol 1
Protocol 2

# Disable verbose ssh banner
DebianBanner no

## Other features

# Print motd after interactive login
PrintMotd yes


## Notes

# Restricting user shell: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-3-restricting-the-shell-of-a-user
# User-specific hardening: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04#step-4-advanced-hardening