Harden SSH on OpenBSD 7.5

Step 1 – Back up the default config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 2 – Key settings in `/etc/ssh/sshd_config`

# Change default port (optional, reduces noise in logs)
Port 2222

# Disable root login
PermitRootLogin no

# Allow key-based auth only
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes

# Only allow specific users
AllowUsers deploy alice

# Restrict SSH version
Protocol 2

# Reduce idle timeout (10 min)
ClientAliveInterval 600
ClientAliveCountMax 0

# Disable X11 forwarding if not needed
X11Forwarding no

# Disable empty passwords
PermitEmptyPasswords no

# Use modern ciphers/MACs
Ciphers [email protected],[email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms curve25519-sha256,[email protected]

# Log level
LogLevel VERBOSE

# Limit login grace period
LoginGraceTime 30

# Max auth attempts
MaxAuthTries 3
MaxSessions 5

Step 3 – Test and restart

sshd -t && rcctl restart sshd

Step 4 – Set up key-based authentication

On your local machine:

ssh-keygen -t ed25519 -C "user@hostname"
ssh-copy-id -p 2222 [email protected]

Step 5 – Fail2Ban (brute-force protection)

See Install Fail2Ban on OpenBSD 7.5.

Harden SSH on OpenBSD 7.5

Harden SSH on OpenBSD 7.5

Step 1 – Back up the default config

Step 2 – Key settings in /etc/ssh/sshd_config

Step 3 – Test and restart

Step 4 – Set up key-based authentication

Step 5 – Fail2Ban (brute-force protection)

Step 2 – Key settings in `/etc/ssh/sshd_config`