OpenSSH Daemon

Copy the current active ssh-agent key to the new host before disabling password authentication: ssh-copy-id user@hostname

The following values are changed from their default values in /etc/ssh/sshd_config:

  • Disable root login under any circumstances: PermitRootLogin no
  • Disable password authentification: PasswordAuthentication no
  • Check for inactive connections after 5 minutes: ClientAliveInterval 300
  • Drop inactive connections after 3 tries without response:ClientAliveCountMax 3
  • Allow only known users: AllowUsers user_a user_b user_c@host_x
  • Disable X11-Forwarding (why would you do that on a server?): X11Forwarding no

Install fail2ban to blacklist malicious accesses:

aptitude install fail2ban

Check in /etc/fail2ban/jail.d/defaults-debian.conf that SSH checking is enabled:

enabled = true