Install ssh-audit: pacman -S ssh-audit Server Audit the current server configuration: ssh-audit localhost If any fail or warn level log line appear, try implementing the following sections. Explicitly allow only selected algorithms Restrict key exchange algorithms, ciphers, message authentication codes, and asymmetric keys: # File: /etc/ssh/sshd_config.d/01-ssh-audit_hardening.conf # Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com # hardening guide. KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com Force usage of public key authentication and prevent root login # File: /etc/ssh/sshd_config.
Goodbye keyboards and monitors!
Use autossh and a systemd service…
No need to enable full login shell if the only intended usage is proxying.
No need to enable full login shell if the only intended usage is tunneling.