SSH Hardening 체크리스트

# Protocol & auth
PermitRootLogin no              # never direct root
PasswordAuthentication no       # keys only
KbdInteractiveAuthentication no # no fallback
PubkeyAuthentication yes
MaxAuthTries 3                  # cap attempts per connection
MaxSessions 5                   # cap sessions per connection
LoginGraceTime 30               # 30s to authenticate

# Restrict who can SSH in (whitelist)
AllowUsers you_username               # add other accounts as needed
# Or by group:
# AllowGroups ssh-users

# Disable unused features
X11Forwarding no                # X11 = unnecessary attack surface
AllowTcpForwarding yes          # keep — Track 3 LocalForward needs it
GatewayPorts no                 # don't allow remote-bound RemoteForward
PermitEmptyPasswords no         # belt and braces
PermitUserEnvironment no
UsePAM yes                      # leave PAM on (TOTP relies on it)

# Logging
LogLevel VERBOSE                # detailed auth log

# Client keepalive (server side mirrors ~/.ssh/config)
ClientAliveInterval 300
ClientAliveCountMax 2

# Cipher / KEX restriction (modern only)
# OpenSSH 10.x defaults are already strong; explicit is fine for paranoia
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Trust the CA (if using SSH certificates)
# TrustedUserCAKeys /etc/ssh/ca_key.pub

# CRITICAL — always before restarting sshd
sudo sshd -t

# Restart
sudo systemctl restart sshd

# macOS — toggle Remote Login off/on

# Verify what the running daemon actually parsed
sudo sshd -T | grep -E '(passauth|permitroot|allowusers|maxauth)'