Single Node
sshd_config_single_node v1.22 is a hardened OpenSSH configuration optimized for standalone servers.
It prioritizes strong cryptography, disables risky features like root login, agent forwarding, and password auth, and is tuned for performance and clarity.
Ideal for setups requiring strict SSH policies without centralized authentication tools.
#########################################################
# https://hiddenssh.com/single-node #
# #
# sshd_config_single_node #
# Version 1.22 #
# Minor text edit fixes, and tweaks. #
# #
# Standard practice: keep a known-good recovery backup #
# https://hiddenssh.com/backup-sshd-config #
#########################################################
# Notes: if issues; run following commands.
# mkdir -p /run/sshd
# chmod 0755 /run/sshd
# chown root:root /run/sshd
# Network
# -------
# If you want to change the port on a SELinux (enforcing mode);
# You need to change SELinux booleans, to allow this.
# semanage port -a -t ssh_port_t -p tcp 2222
# Port tcp/22, is priority traffic but depends on network rules.
Port 22
Protocol 2
# Define inet; If you want to only listen on IPv4,
# keep in mind you need to firewall twice; rules for IPv4 & IPv6, if you use both IPv4 & IPv6 at the same time.
# This is NOT recommended!
# AddressFamily any = IPv4 & IPv6
# AddressFamily inet = IPv4
# AddressFamily inet6 = IPv6
AddressFamily inet
# Use dedicated IP for sshd; From a Different Network block,
# Trick from the 90s, credits "(Big Blue/IBM) worker".
# Seeing the IPv4 shortage today, this only works with IPv6 today.
# NOTE: Not recommended using (*/wildcard).
# *Change me*
ListenAddress 192.168.0.1
# (VPN/If you are using a VPN) You need to listen to the IPv4 address inside the tunnel.
# Not recommended; adds chain of failure risk.
#ListenAddress 10.0.0.1
# *Change me*
TCPKeepAlive yes
# WARNING
AllowAgentForwarding no
# https://hiddenssh.com/ssh-socks5-proxy
AllowTcpForwarding no
# # Tunnels
# The GatewayPorts option controls whether remote hosts are allowed to connect to these forwarded ports.
# If GatewayPorts is set to no, only the local machine can connect to the forwarded port,
# and remote hosts are not allowed to connect. If GatewayPorts is set to yes, remote hosts are allowed to connect to the forwarded port.
# By default, GatewayPorts is set to no, which means that remote hosts are not allowed to connect to forwarded ports.
# This can help to prevent unauthorized access to local network services through the secure tunnel.
# https://hiddenssh.com/ssh-tunnel
PermitTunnel no
GatewayPorts no
# This can help to prevent unauthorized access to local network services through the secure tunnel.
PermitTunnel no
GatewayPorts no
# Encryption
# ----------
# Syntax: ssh -Q cipher check what Encryption Ciphers your sshd has been (compiled with/supports).
# aes256-cbc uses AES in cipher-block chaining (CBC) mode, which can be vulnerable to certain attacks if not used correctly.
# aes256-gcm@openssh.com uses AES in Galois/Counter Mode (GCM), which provides both encryption and authentication,
# making it resistant to certain types of attacks. However, it may not be as widely supported as other ciphers.
# twofish256-ctr is a good option, but it is not supported by all systems.
# The main advantage of chacha20-poly1305@openssh.com is its performance.
# The ChaCha20 stream cipher is generally faster than AES, on systems without hardware support for AES-NI instructions.
# cat /proc/cpuinfo to check for the flags.
# On Intel systems, the AES-NI (Advanced Encryption Standard New Instructions) instruction set is used for hardware acceleration
# of AES encryption and decryption operations. It is a set of instructions built into the CPU
# that can significantly speed up AES encryption and decryption operations.
# ARM CPUs include the Cryptography Extensions (CryptoExt) that provide hardware acceleration for AES encryption
# and decryption, as well as other cryptographic functions. These extensions are available on ARMv8 (64-bit) and later architectures.
# AMD CPUs have the Advanced Encryption Standard (AES) instruction set that provides hardware acceleration for AES
# encryption and decryption. This instruction set is available on AMD processors that support the AMD64 instruction set.
Ciphers aes256-ctr,aes256-gcm@openssh.com
# If you want to choose one MAC algorithm for the best security, hmac-sha2-512-etm@openssh.com would be the best choice.
MACs hmac-sha2-512-etm@openssh.com
# NIST P-curves are possibly backdoored by the U.S. National Security Agency.
# ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
# The following key exchange algorithms are considered to be secure: curve25519-sha256@libssh.org.
# Profile(Hardware Security Key)
KexAlgorithms curve25519-sha256@libssh.org
# RSA host key is needed for backward compatibility in many systems.
# SHA-1 has exploitable weaknesses.
#HostKey /etc/ssh/ssh_host_rsa_key
# Possible backdoor.
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Most secure option.
HostKey /etc/ssh/ssh_host_ed25519_key
HostbasedAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
# Profile(Hardware Security Key)
RekeyLimit 10G 8h
# SSH compression can leak secrets via side-channel attacks: if attacker-controlled text is compressed with secrets,
# output size changes reveal matching bytes, enabling gradual secret recovery.
# Profile(hardened): Disable compression.
# Profile(Large data traffic): Not a good idea, compression is recommended on large data flows.
Compression no
# Firewall
# ---------
# https://hiddenssh.com/cloud-single-node see; OpenSSH Application Level Firewall.
# *Change me*
AllowUsers user1@192.168.0.10 user2@10.0.0.10
# Hardening login
# ---------------
# Warning Will break some systems (Disables /etc/shadow file)
# PAM is a modular authentication mechanism used by Linux and Unix systems that enables
# users to authenticate using a variety of methods, including passwords.
# Overall, while disabling PAM can improve security in some cases, it should be done with caution.
# Using public/private keys is a much more secure way of accessing your system than relying on passwords.
UsePAM no
LoginGraceTime 5m
StrictModes yes
# option MaxAuthTries, which limits the number of authentication attempts that can be made for a single connection.
# By setting a low value for MaxAuthTries, you can discourage attackers from attempting to brute force passwords.
# When the maximum number of authentication attempts specified in MaxAuthTries is reached, the SSH server will disconnect the client.
# This means that the session will be terminated, but the IP address is not automatically banned.
MaxAuthTries 5
MaxSessions 5
MaxStartups 10:30:100
# Checks dead/unresponsive sessions, (0 = every X second).
ClientAliveInterval 0
ClientAliveCountMax 5
# NEVER use root for login, or empty passwords
PermitRootLogin no
DenyUsers root guest nobody ubuntu administrator user test webmaster backup ftp ssh postgres mysql oracle tomcat apache www-data git docker mail pi
DenyGroups root guest nobody ubuntu
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UseDNS yes
# Allows SSH sessions to allocate a (terminal/normal interactive shell)
PermitTTY yes
# Needed for: SCP sshfs (Disable if you dont use them).
# Recommended: rsync -azvP -e "ssh" file.txt user1@host:/tmp/file.txt (No sftp needed)
Subsystem sftp /usr/libexec/openssh/sftp-server
# Disables external key lookup helpers, such as scripts that fetch keys from LDAP, HTTP APIs, databases, etc. This reduces attack surface.
AuthorizedKeysCommandUser nobody
KerberosAuthentication no
#KerberosOrLocalPasswd no
#KerberosTicketCleanup no
#KerberosUseKuserok no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck no
#GSSAPIStrictAcceptorCheck no
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Xorg Settings (if you use X11, switch to: https://hiddenssh.com/firewall-x11)
X11Forwarding no
X11UseLocalhost no
# chroot jail
ChrootDirectory none
# User Settings
# -------------
# With this option set to "yes", users can set arbitrary environment variables that can potentially override system settings.
# or perform unauthorized actions. This can be especially dangerous if the user connecting via SSH has administrative privileges on the system.
# *Change me*
PermitUserEnvironment no
Match user user1,user2
Match all
PermitUserEnvironment no
# Passwords are legacy and increasingly deprecated.
PasswordAuthentication no
PubkeyAuthentication yes
# Deamon
# -------
PidFile /var/run/sshd.pid
# Logging
# -------
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# Info
# ----
# Greating for brutforces, Shows up as.
# debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7 HiddenSSH-single-node
# debug1: compat_banner: match: OpenSSH_8.7 HiddenSSH-single-node pat OpenSSH* compat
# *Change me*
VersionAddendum HiddenSSH-single-node
# Print before login
Banner /etc/ssh/login.txt
# Print /etc/motd at succesful login
PrintMotd yes
# Show last login IPs
PrintLastLog yes
# Keys Settings
# -------------
# AuthorizedKeysFile /etc/ssh/%u tells sshd to look for each user’s allowed SSH public keys in /etc/ssh/
# (e.g., /etc/ssh/user1) instead of ~/.ssh/authorized_keys.
# touch /etc/ssh/user1
# chmod 0644 /etc/ssh/user1
# chown root:root /etc/ssh/user1
# Profile(SELinux): chcon -v system_u:object_r:sshd_key_t:s0 /etc/ssh/user1 && restorecon -v /etc/ssh/user1
# Profile(OpenRC): /etc/init.d/sshd reload
# Profile(Systemd): systemctl reload sshd
#AuthorizedKeysFile /etc/ssh/%u
#
# To add a backup key correctly see; https://hiddenssh.com/backup-key
# Classic ~/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_backup
#
# Certificate File
#TrustedUserCAKeys /etc/ssh/certificate-auth/user1-hiddenssh-cert.pub
# AuthorizedPrincipalsFile is mainly relevant when you use an SSH CA.
#AuthorizedPrincipalsFile none
# Host-Based Authentication
# -------------------------
# Allows SSH login based on the identity of the client host, not just the user.
# The server verifies that the connecting client machine has a trusted SSH host key
# and that the user/host combination is permitted by host-based trust rules.
# This uses host trust files such as /etc/ssh/ssh_known_hosts and host access
# files such as /etc/hosts.equiv, /etc/shosts.equiv, ~/.rhosts, or ~/.shosts,
# depending on configuration.
# Usually keep this disabled unless you specifically manage trusted host-based
# login in a controlled environment.
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# This ensures that the client verifies the identity of the remote host based on the public key stored in the known hosts file,
# which helps to prevent man-in-the-middle attacks and other security risks.
# It also ensures that the client does not connect to a remote host without verifying its identity,
# which could allow an attacker to intercept the SSH connection and impersonate the remote host.
IgnoreUserKnownHosts yes
# using host-based authentication based on these files can be insecure,
# as it does not provide strong authentication or encryption for this.
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Environment variables
# ---------------------
# https://hiddenssh.com/sshd-env
# echo $hiddenssh
# env
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AcceptEnv hiddenssh oraclesecretkey oracleauthtoken cloudflaretoken openaikey