While the SSH daemon is pretty secure by default, I usually use a custom setup. In this article you will find the most important options.

Configuration options to secure the SSH daemon

The SSH daemon configuration is stored in /etc/ssh/sshd_config. To secure SSH even more, use the following options:

Protocol 2

This enables the more secure SSH2 protocol version.

AllowUsers user001 user002

SSH is only allowed for specific user accounts.

Ciphers blowfish-cbc,aes256-cbc,aes256-ctr

SSH supports many cryptographic ciphers but I prefer to use only the most secure ones.

PasswordAuthentication no

Do not allow regular password based authentication but use asymmetric challenge response instead.

PermitRootLogin no

Never allow root to login to your machines directly!

AllowTcpForwarding no
X11Forwarding no

Disable TCP port and X11 forwarding on machines that do not need them.

StrictModes yes

Use the strict mode so that the file permissions and ownership of important configuration files are checked by the ssh daemon.