first commit

etc/ssh/ssh_config.d/10-custom.conf

@@ -0,0 +1,2 @@
+GSSAPIAuthentication no
+VerifyHostKeyDNS yes

etc/ssh/sshd_config.d/10-custom.conf

@@ -0,0 +1,43 @@
+# Encryption hardening
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKeyAlgorithms ssh-ed25519
+KexAlgorithms sntrup761x25519-sha512@openssh.com
+PubkeyAcceptedKeyTypes ssh-ed25519
+Ciphers aes256-gcm@openssh.com
+MACs -*
+
+# Security hardening
+AuthenticationMethods publickey
+AuthorizedKeysFile .ssh/authorized_keys
+Compression no
+DisableForwarding yes
+LoginGraceTime 15s
+MaxAuthTries 1
+PermitUserEnvironment no
+PermitUserRC no
+StrictModes yes
+UseDNS no
+
+# Use KeepAlive over SSH instead of with TCP to prevent spoofing
+TCPKeepAlive no
+ClientAliveInterval 15
+ClientAliveCountMax 4
+
+## Use PAM for session checks here but authentication is disabled below
+## Also, this prevents running sshd as non-root
+UsePAM yes
+
+# Disabling unused authentication methods
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+HostbasedAuthentication no
+PasswordAuthentication no
+PermitRootLogin no
+PermitEmptyPasswords no
+KbdInteractiveAuthentication no
+KerberosAuthentication no
+
+# Displaying info
+Banner /etc/issue.net
+PrintLastLog yes
+PrintMotd yes