HOME
art gallery Linkedin GitHub Donations Our Recommendations
Login
Hashcat Premium
Info
Vuln Fact Check Server Managment Links
SSH
Auth.log Debug DNS key share Cheatpapper
Encryption
fido2 Twofish serpent .ssh/config cipher set sshd set cipher
Firewall
IP block list Fail2ban fail2ban Config SELinux
Tools
Mpiexec Rsync Mosh Glances SSHFS Tmate autossh XQuartz
VPN
SSH Tunneling Cloudflare Onion Network/Tor sshuttle SSH Proxy Reverse Tunnel SSH Tunnel ssh socksv5 proxy
Keys
CA Info Generate Ed25519 key Certificates keys CA & Host auth Backup Key OTP Hardware key SCP Trezor Ledger Nano X
Tweaks
DNS BASH Zsh ssh client env sshd env config X11
Configfiles
sshd, Single Node. sshd, Firewall Single Node. sshd, Cloud Firewall Single Node. sshd, Firewall X11. Win 11 OpenSSH Server

Single Node

sshd_config Single Node

sshd_config_single_node v1.21 is a hardened OpenSSH configuration optimized for standalone servers.
It prioritizes strong cryptography, disables risky features like root login, agent forwarding, and password auth, and is tuned for performance and clarity.
Ideal for setups requiring strict SSH policies without centralized authentication tools.


#########################################################
# https://hiddenssh.com                                 #
#                                                       #
# sshd_config_single_node                               #
# Version 1.21                                          #
#########################################################
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Protocol 2
# Port 22 has priority traffic in many routers, so it's a bad idea to change it.
# Use fail2ban to avoid brute force attacks.
Port 22
# Use inet for IPv4, inet6 for IPv6, or any for all.
AddressFamily inet
ListenAddress 10.0.0.x
ListenAddress 192.168.0.x
PermitTTY yes

# Encryption
# ---------- 
# The command "sshd -T | grep macs" shows the supported MAC algorithms.
# aes256-cbc uses AES in cipher-block chaining (CBC) mode, which can be vulnerable to certain attacks if not used correctly.
# aes256-gcm@openssh.com uses AES in Galois/Counter Mode (GCM), which provides both encryption and authentication, 
# making it resistant to certain types of attacks. However, it may not be as widely supported as other ciphers.
# twofish256-ctr is a good option, but it is not supported by all systems.
# The main advantage of chacha20-poly1305@openssh.com is its performance. 
# The ChaCha20 stream cipher is generally faster than AES, especially on systems without hardware support for AES-NI instructions.
# Run /proc/cpuinfo to check for the flags.
# On Intel systems, the AES-NI (Advanced Encryption Standard New Instructions) instruction set is used for hardware acceleration 
# of AES encryption and decryption operations. It is a set of instructions built into the CPU
# that can significantly speed up AES encryption and decryption operations.
# ARM CPUs include the Cryptography Extensions (CryptoExt) that provide hardware acceleration for AES encryption
# and decryption, as well as other cryptographic functions. These extensions are available on ARMv8 (64-bit) and later architectures.
# AMD CPUs have the Advanced Encryption Standard (AES) instruction set that provides hardware acceleration for AES 
# encryption and decryption. This instruction set is available on AMD processors that support the AMD64 instruction set.
Ciphers aes256-ctr,aes256-gcm@openssh.com
# If you want to choose one MAC algorithm for the best security, hmac-sha2-512-etm@openssh.com would be the best choice.
MACs hmac-sha2-512-etm@openssh.com
# NIST P-curves are possibly backdoored by the U.S. National Security Agency.
# ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
# The following key exchange algorithms are considered to be secure: curve25519-sha256@libssh.org.
KexAlgorithms curve25519-sha256@libssh.org
# RSA host key is needed for backward compatibility in many systems.
# SHA-1 has exploitable weaknesses.
#HostKey /etc/ssh/ssh_host_rsa_key
# Possible backdoor.
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Most secure option.
HostKey /etc/ssh/ssh_host_ed25519_key
HostbasedAcceptedKeyTypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
RekeyLimit 4G 1h

# Logging
# -------
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

# Hardening login
# ---------------
LoginGraceTime 5m
StrictModes yes
# option MaxAuthTries, which limits the number of authentication attempts that can be made for a single connection.
# By setting a low value for MaxAuthTries, you can discourage attackers from attempting to brute force passwords.
# When the maximum number of authentication attempts specified in MaxAuthTries is reached, the SSH server will disconnect the client. 
# This means that the session will be terminated, but the IP address is not automatically banned.
MaxAuthTries 5
MaxSessions 5
MaxStartups 10:30:100
# NEVER use root for login, or empty passwords
PermitRootLogin no
DenyUsers root guest
DenyGroups root
PermitEmptyPasswords no
# If you are using public key authentication and have PasswordAuthentication set to "no", 
# then enabling ChallengeResponseAuthentication may not provide any significant security benefits. 
ChallengeResponseAuthentication no
# Provides Protection against IP spoofing
UseDNS yes

# Print Information
# -----------------
PrintMotd yes
Banner /etc/ssh/login.txt
PrintLastLog yes

# Global settings
# ---------------
TCPKeepAlive yes
# With this option set to "yes", users can set arbitrary environment variables that can potentially override system settings 
# and be used to launch malicious programs or perform unauthorized actions.
# This can be especially dangerous if the user connecting via SSH has administrative privileges on the system.
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 0
ClientAliveCountMax 5
PidFile /var/run/sshd.pid
# The ChrootDirectory option in OpenSSH server configuration only applies to SFTP sessions and does not provide a jail for SCP transfers.
# When using SCP to transfer files, the user can specify the full path of the source and destination files,
# so the ChrootDirectory option does not restrict the user's access to the filesystem.
# If the user has read or write permissions on the source or destination directories,
# they will be able to transfer files to or from those directories using SCP, regardless of the ChrootDirectory setting.
ChrootDirectory none
# VersionAddendum to "Custom Message", the SSH server version string reported to the client would include the custom message,
# such as SSH-2.0-OpenSSH_7.9p1 Custom Message.
VersionAddendum HiddenSSH-single-node
AllowAgentForwarding no
AllowTcpForwarding no
# Tunnels
# The GatewayPorts option controls whether remote hosts are allowed to connect to these forwarded ports.
# If GatewayPorts is set to no, only the local machine can connect to the forwarded port,
# and remote hosts are not allowed to connect. If GatewayPorts is set to yes, remote hosts are allowed to connect to the forwarded port.
# By default, GatewayPorts is set to no, which means that remote hosts are not allowed to connect to forwarded ports.
# This can help to prevent unauthorized access to local network services through the secure tunnel.
PermitTunnel no
GatewayPorts no
# Running Xorg server settings
X11Forwarding no
X11UseLocalhost no

# Public Keyfile settings
# -----------------------
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# To add a backup key correctly see, https://hiddenssh.com/#backup-keys
# AuthorizedKeysFile .ssh/authorized_keys_backup
PasswordAuthentication no
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# WARNING !!
# PAM is a modular authentication mechanism used by Linux and Unix systems that enables 
# users to authenticate using a variety of methods, including passwords.
# Overall, while disabling PAM can improve security in some cases, it should be done with caution and with 
# a thorough understanding of the potential risks and drawbacks.
# Using public/private keys is a much more secure way of accessing your system than relying on passwords.
UsePAM no

# Host based authentication
# -------------------------
# When HostbasedAuthentication is enabled, the server will first attempt to authenticate the client based on 
# the hostname or IP address of the client machine. If this authentication succeeds and the authorized_keys file 
# on the server contains a public key that matches the client's hostname or IP address, the client will be authenticated
# without needing to provide a password.
# if you want to provide an additional layer of authentication security, you can enable HostbasedAuthentication in conjunction with public key authentication. 
# This would allow the server to authenticate the client based on both the client's hostname or IP address and the public key stored in the authorized_keys file.
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# This ensures that the client verifies the identity of the remote host based on the public key stored in the known hosts file, 
# which helps to prevent man-in-the-middle attacks and other security risks. 
# It also ensures that the client does not connect to a remote host without verifying its identity, 
# which could allow an attacker to intercept the SSH connection and impersonate the remote host.
IgnoreUserKnownHosts yes
# using host-based authentication based on these files can be insecure,
# as it does not provide strong authentication or encryption for this. 
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Large Scale Infrastructure
# --------------------------
# Kerberos when managing multiple openssh boxes at the same time.
#KerberosAuthentication no
#KerberosOrLocalPasswd no
#KerberosTicketCleanup no
#KerberosUseKuserok no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck no
#GSSAPIStrictAcceptorCheck no
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Accept locale-related environment variables
# -------------------------------------------
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# FTP
# ---
# Use SCP for safer file transfers, sftp is old.
#Subsystem sftp  /usr/libexec/openssh/sftp-server

sshd_backup

Hardened SSHD backup config for single-node use. Enables debug logging, public key auth, strict access limits, and secure defaults throughout.


#########################################################
# https://hiddenssh.com                                 #
#                                                       #
# sshd_backup                                           #
# version 1.0                                           #
#########################################################
# Load file with sudo /usr/sbin/sshd -f /etc/ssh/sshd_config.backup

# Include additional configuration files if present
Include /etc/ssh/sshd_config.d/*.conf

# Deamon
PidFile /var/run/sshd.pid

# Networking/Listen
# Listens on any IP that is binded
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Encryption
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
RekeyLimit default none

# Logging
# Set to debug, for maximum information on what goes wrong.
SyslogFacility AUTH
# DEBUG: Logs debugging messages, which can be quite verbose. Use this for detailed debugging.
# DEBUG1: Debugging level 1 provides a moderate level of detail.
# DEBUG2: Debugging level 2 provides more detail than DEBUG1.
# DEBUG3: The highest level of debugging verbosity, providing very detailed logs.
LogLevel DEBUG3
# Authentication
# Password Authentication
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication no
# Never put this to yes! Not even in debug mode.
PermitEmptyPasswords no

# Login Hardening
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 20
MaxSessions 10
# MaxStartups max:threshold:unauthenticated
# max: This sets the maximum number of unauthenticated SSH connections allowed.
# threshold: This is the threshold at which the server will take action to limit the rate of incoming connection attempts.
# unauthenticated: This is the rate at which the server will allow new unauthenticated SSH connections per second once the threshold is reached.
MaxStartups 5:10:30

# Connection Hardening
PermitTTY yes
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
TCPKeepAlive yes
PermitUserEnvironment no
Compression delayed

# Version Info
VersionAddendum HiddenSSH-single-node-backup
PrintMotd yes
PrintLastLog yes

# Public Keys
PubkeyAuthentication yes
# For this to work, you need to have at least 1 file in $HOME/.ssh/ and correct chmod/rights.
# The correct permission (chmod) for public authentication keys in OpenSSH should be set to 644.
# This means that the owner of the file has read and write permissions (6),
# and everyone else (including the group) has read-only permissions (4).
# Syntax: chmod 644 ~/.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 .ssh/authorized_backup .ssh/authorized_backups
# For this to work, you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
AuthorizedPrincipalsFile none
AuthorizedKeysCommand none
AuthorizedKeysCommandUser nobody
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Infrastructure Settings (Optional)
# Kerberos options
# GSSAPI options
# X11Forwarding no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no

# Subsystem configuration
Subsystem sftp /usr/lib/openssh/sftp-server