HOME
art gallery Linkedin Donations Recommendations
Login
Premium
Info
Vuln Fact Check Server Managment Links
SSH
Auth.log Debug DNS key share Security Key file transfers Cheatpapper
Ciphers
fido2 Twofish serpent .ssh/config cipher set sshd set cipher
Firewall
IP block list Fail2ban SELinux SSH Proxy Jump
Tools
Mpiexec Rsync Mosh Glances SSHFS Tmate autossh XQuartz hashcat
VPN
SSH Tunneling Cloudflare Onion Network/Tor sshuttle SSH Proxy Reverse Tunnel SSH Tunnel ssh socksv5 proxy
Keys
CA Info Generate Ed25519 key OTP Certificates keys CA & Host auth Backup Key Trezor Ledger ch341a coldstorage
Tweaks
DNS BASH Zsh ssh client env sshd env config
Config files
Single Node backup sshd_config Firewall Single Node Cloud Firewall Single Node Firewall X11 Win +10 sshd VMware ESXi Hardening fail2ban Config Dump Space

Single Node with X11 and Firewall

The ssh -X command enables X11 forwarding, letting remote Linux GUI apps display locally.
Linux supports this natively with X11 libraries and forwarding enabled on both ends.
On macOS, X11 isn’t built in. To use ssh -X, you must install and run XQuartz before connecting.
On Windows, use MobaXterm (all-in-one SSH + X11 client) or Cygwin/X (Unix-like environment with X11 support).

How X11 renders the image/window: X11 uses a slightly reversed naming model. The GUI program running on the remote Linux host is the X client, while your local desktop runs the X server. When you use ssh -X, the remote application does not normally render a full desktop on the server. Instead, it sends X11 protocol messages through the SSH tunnel to your local X server, and your local machine draws the window, handles the keyboard/mouse input, and displays the final image on your screen.

sshd_config_firewall_X11

Configured for running X11 with firewall.


#########################################################
# https://hiddenssh.com/firewall-x11                    #
#                                                       #
# sshd_config_firewwall_X11	                        #
# Version 1.2                                           #
# Minor text edit fixes, and tweaks.                    #
#                                                       #
# Standard practice: keep a known-good recovery backup  #
# https://hiddenssh.com/backup-sshd-config              #
#########################################################
# Notes: if issues; run following commands.
# mkdir -p /run/sshd
# chmod 0755 /run/sshd
# chown root:root /run/sshd

# Network
# -------
# If you want to change the port on a SELinux (enforcing mode); 
# You need to change SELinux booleans, to allow this. 
# semanage port -a -t ssh_port_t -p tcp 2222
# Port tcp/22, is priority traffic but depends on network rules.
Port 22
Protocol 2
# Define inet; If you want to only listen on IPv4, 
# keep in mind you need to firewall twice; rules for IPv4 & IPv6, if you use both IPv4 & IPv6 at the same time.
# This is NOT recommended!
# AddressFamily any = IPv4 & IPv6
# AddressFamily inet = IPv4
# AddressFamily inet6 = IPv6
AddressFamily inet
# Use dedicated IP for sshd; From a Different Network block, 
# Trick from the 90s, credits "(Big Blue/IBM) worker".
# Seeing the IPv4 shortage today, this only works with IPv6 today.
# NOTE: Not recommended using (*/wildcard). 
# *Change me*
ListenAddress 192.168.0.1
# (VPN/If you are using a VPN) You need to listen to the IPv4 address inside the tunnel.
# Not recommended; adds chain of failure risk.
#ListenAddress 10.0.0.1
TCPKeepAlive yes
# WARNING
AllowAgentForwarding no
# https://hiddenssh.com/ssh-socks5-proxy
AllowTcpForwarding yes
# https://hiddenssh.com/ssh-tunnel
PermitTunnel yes
# https://hiddenssh.com/reverse-tunnel
GatewayPorts yes

# Firewall
# ---------
# https://hiddenssh.com/cloud-single-node see; OpenSSH Application Level Firewall.
# *Change me*
AllowUsers user1@192.168.0.10 user2@10.0.0.10

# Deamon
# -------
PidFile /var/run/sshd.pid

# Encryption
# ----------
# Syntax: ssh -Q cipher check what Encryption Ciphers your sshd has been (compiled with/supports).
# aes256-cbc uses AES in cipher-block chaining (CBC) mode, which can be vulnerable to certain attacks if not used correctly.
# aes256-gcm@openssh.com uses AES in Galois/Counter Mode (GCM), which provides both encryption and authentication, 
# making it resistant to certain types of attacks. However, it may not be as widely supported; use aes256-ctr if aes256-gcm@openssh.com breaks.
# twofish256-ctr is a good option but not supported by all systems
# chacha20-poly1305@openssh.com The ChaCha20 stream cipher is generally faster than AES, when without support for AES hardware acceleration.
# Run: cat /proc/cpuinfo to check the accelerators.
Ciphers aes256-gcm@openssh.com
# If you want to choose one MAC algorithm for the best security, hmac-sha2-512-etm@openssh.com would be the best choice.
MACs hmac-sha2-512-etm@openssh.com
# Profile(Hardware Security Key)
#KexAlgorithms curve25519-sha256@libssh.org
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Public key types accepted
# NIST P-curves are possibly back-doored by the U.S. National Security Agency.
# ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
# You should prerable ONLY use; ed25519 if possible.
# Profile(Hardware Security Key)      
#PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com
# *Change me*
PubkeyAcceptedKeyTypes ssh-rsa,rsa-sha2-512,ssh-ed25519-cert-v01@openssh.com
# Profile(Hardware Security Key) 
#RekeyLimit 20G 8h
# Profile(file based)
RekeyLimit 20G 1h
# SSH compression can leak secrets via side-channel attacks: if attacker-controlled text is compressed with secrets, 
# output size changes reveal matching bytes, enabling gradual secret recovery. 
# Profile(hardened): Disable compression.
Compression no
# Profile(Large data traffic):
#Compression delayed 

# Hardening login
# ---------------
LoginGraceTime 5m
StrictModes yes
MaxAuthTries 5
MaxSessions 5
MaxStartups 10:30:100
ChallengeResponseAuthentication no
UseDNS yes
# Checks dead/unresponsive sessions, (0 = every X second).
ClientAliveInterval 0
ClientAliveCountMax 3
# Passwords are legacy and increasingly deprecated.
PasswordAuthentication no
# Never put this to yes! 
PermitEmptyPasswords no
# Warning Will break some systems (Disables /etc/shadow file)
UsePAM no
# Disable functions
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
# Disable users
PermitRootLogin no
DenyUsers root guest nobody ubuntu admin administrator user test guest webmaster backup ftp ssh postgres mysql oracle tomcat apache www-data git docker mail pi
DenyGroups root guest nobody ubuntu

# Keys Settings
# -------------
PubkeyAuthentication yes
# AuthorizedKeysFile /etc/ssh/%u tells sshd to look for each user’s allowed SSH public keys in /etc/ssh/ 
# (e.g., /etc/ssh/user1) instead of ~/.ssh/authorized_keys.
# touch /etc/ssh/user1
# chmod 0644 /etc/ssh/user1
# chown root:root /etc/ssh/user1
# Profile(SELinux): chcon -v system_u:object_r:sshd_key_t:s0 /etc/ssh/user1 && restorecon -v /etc/ssh/user1
# Profile(OpenRC): /etc/init.d/sshd reload 
# Profile(Systemd): systemctl reload sshd
#AuthorizedKeysFile /etc/ssh/%u
#
# Classic ~/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_backup
#
# Certificate File
#TrustedUserCAKeys /etc/ssh/certificate-auth/user1-hiddenssh-cert.pub
# AuthorizedPrincipalsFile is mainly relevant when you use an SSH CA.
#AuthorizedPrincipalsFile none

# Logging
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

# Info
# ----
# Greating for brutforces, Shows up as.  
# debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 HiddenSSH-cloud
# debug1: compat_banner: match: OpenSSH_8.7 HiddenSSH-cloud pat OpenSSH* compat 
# *Change me*
VersionAddendum hiddenssh-firewall-x11
# Print before login
Banner /etc/ssh/login.txt
# Print /etc/motd at succesful login
PrintMotd yes
# Show last login IPs
PrintLastLog yes

# X11 / Window manager
# --------------------
# https://hiddenssh.com/xquartz
# https://hiddenssh.com/bash/ https://hiddenssh.com/zsh read; XQuartz and .bashrc 
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# System Tweaks
# -------------
# Allows SSH sessions to allocate a (terminal/normal interactive shell)
PermitTTY yes
PermitUserEnvironment yes
ChrootDirectory none
AuthorizedKeysCommand none
# Disables external key lookup helpers, such as scripts that fetch keys from LDAP, HTTP APIs, databases, etc. This reduces attack surface.
AuthorizedKeysCommandUser nobody
# Needed for: SCP sshfs (Disable if you dont use them). 
# Recommended: rsync -azvP -e "ssh" file.txt user1@host:/tmp/file.txt (No sftp needed)
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Environment variables
# --------------------- 
# https://hiddenssh.com/sshd-env
# echo $hiddenssh
# env
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AcceptEnv hiddenssh oraclesecretkey oracleauthtoken cloudflaretoken openaikey

# Centralized Authentication
# --------------------------
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

X11 config

Config for /etc/X11/xinit/xserverrc, It needs to be set for X11 and correctly to work


#!/bin/sh
# This is the startup script for the X server (used by startx or Xinit)

# Start the X server binary, replacing the shell with it
# --------------------------------------------------------

# /usr/bin/X        = main X11 server binary
# -nolisten tcp     = disables direct remote TCP connections (increases security)
#                     SSH X11 forwarding still works — it uses 127.0.0.1 (loopback)
#                     for DISPLAY like localhost:10.0 forwarded via SSH tunnel
# -dpi 220          = sets the DPI (dots per inch) for scaling fonts/UI
# "$@"              = passes any additional arguments from caller (startx, etc)

exec /usr/bin/X -nolisten tcp -dpi 220 "$@"