This is a small tutorial for a secure SSH server. Although SSH servers are very secure, the default configuration is not always the best practice.
Replace the file /etc/ssh/sshd_config with the content below:
:::ini
Protocol 2
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitRootLogin no
AllowTcpForwarding no
X11Forwarding no
Subsystem sftp /usr/libexec/sftp-server
KexAlgorithms curve25519-sha256@libssh.org
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
AllowUsers yourusername anotherusername
This will deny almost everything. Especially clear password login's are forbidden and only allowed users may login. Together with only allowing elliptic curve and special ciphers, SSH scanners on the internet have a hard time. Most scanners only use old ciphers and MACs, so it's not going to work. The AllowUser option make sure you don't allow a system user access by accident. If you want to give a user some more right, add the options below and change to your own needs. This example allows a user to login and make a portforward to the local port 80 without getting a shell.
:::ini
Match User yourusername
AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
PermitOpen localhost:80
ForceCommand read -p "Press enter to exit"
After changing the configuration, restart your server. Especially, restart from the console, not over an SSH connection. Normally your old connection should stay alive over a restart, but you never know...
:::console
service sshd restart
You can make a secure SSH key on your client (NOT on the server!!!) by the next command:
:::console
ssh-keygen -t ed25519
You can find your public key in ~/.ssh/id_ed25519.pub. Copy the content to your server in the file ~/.ssh/authorized_keys. Now you can make a SSH connection to your secure SSH server.