Hardening SSH

TL;DR

# Before changing anything

# make a backup of your current config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Check your current config
sudo sshd -T

# Edit sshd_config to update configuration
sudo nano /etc/ssh/sshd_config

sshd config changes

Note: every option already exists in the file, but might be commented out. to apply the setting, uncomment the line and change the value)

# Amount of seconds for completing authentication before SSH dropping the connection in seconds
LoginGraceTime 20 

# Limit wrong password tries to 3 before cutting the connection
MaxAuthTries 3

# Blocks any account that is using an empty/blank password from authenticating
PermitEmptyPasswords no 

# If not using the following auth methods, just disable them
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

# Features that aren't commonly used
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

# Block root from logging. Helps against brute force attacks
PermitRootLogin no

# Hide your ssh version from potential attackers
Banner none

# Explicitly define what users can login, and block access to anyone else (eg any guest users you might have forgotten to disable)
# This needs to be ADDED on the bottom of the file as it doesn't already exist
AllowUsers <the username you use for doing things over ssh>

Test and apply changes

sudo sshd -t
sudo systemctl reload sshd.service