Port 22777 ListenAddress 0.0.0.0 #ListenAddress :: # only listen to IPv4 AddressFamily inet # only listen to IPv6 #AddressFamily inet6 AllowAgentForwarding no # prevent TCP ports from being forwarded over SSH tunnels # **please be aware that disabling TCP forwarding does not prevent port forwarding** # any user with an interactive login shell can spin up his/her own instance of sshd AllowTcpForwarding no # prevent StreamLocal (Unix-domain socket) forwarding AllowStreamLocalForwarding no # disables all forwarding features # overrides all other forwarding switches DisableForwarding yes # disallow remote hosts from connecting to forwarded ports # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0 GatewayPorts no # prevent tun device forwarding PermitTunnel no # suppress MOTD PrintMotd no # disable X11 forwarding since it is not necessary X11Forwarding no ########## Authentication ########## # permit only the specified users to login #AllowUsers k4yt3x # permit only users within the specified groups to login #AllowGroups k4yt3x # uncomment the following options to permit only pubkey authentication # be aware that this will disable password authentication # - AuthenticationMethods: permitted authentication methods # - PasswordAuthentication: set to no to disable password authentication # - UsePAM: set to no to disable all PAM authentication, also disables PasswordAuthentication when set to no #AuthenticationMethods publickey PasswordAuthentication yes #UsePAM no # PAM authentication enabled to make password authentication available # remove this if password authentication is not needed UsePAM yes ChallengeResponseAuthentication no MaxAuthTries 351 PermitEmptyPasswords no PermitRootLogin yes PubkeyAuthentication yes ## # explicitly define cryptography algorithms to avoid the use of weak algorithms Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519 MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com ### short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256 ### see this link for more details: https://github.com/k4yt3x/sshd_config#deactivating-short-diffie-hellman-moduli ## #KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 ########## Connection Preferences ########## # number of client alive messages sent without client responding ClientAliveCountMax 2 # send a keepalive message to the client when the session has been idle for 300 seconds # this prevents/detects connection timeouts ClientAliveInterval 300 # compression before encryption might cause security issues Compression no # prevent SSH trust relationships from allowing lateral movements IgnoreRhosts yes # log verbosely for addtional information #LogLevel VERBOSE # allow a maximum of two multiplexed sessions over a single TCP connection MaxSessions 4 # enforce SSH server to only use SSH protocol version 2 # SSHv1 contains security issues and should be avoided at all costs # SSHv1 is disabled by default after OpenSSH 7.0, but this option is # specified anyways to ensure this configuration file's compatibility # with older versions of OpenSSH server Protocol 2 ## Subsystem sftp /usr/lib/openssh/sftp-server ## Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp TCPKeepAlive yes UseDNS no