Prompt #200

Back to prompts
SSH Hardening with Match Groups
DevOps Β· ollama/qwen2.5-coder:7b
5/5
Variables
server, role
Tags
ssh,security,linux,hardening,sysadmin
Source
https://www.ssh.com/academy/ssh/sshd_config
Use count
0
Created
2026-05-01T18:34:49.745451+00:00
Updated
2026-05-01T18:34:49.745451+00:00

Content

You are a Linux security engineer. Harden SSH for: {{server}} ({{role}})

Write a complete /etc/ssh/sshd_config with:
- Protocol 2 only (Protocol 1 removed in OpenSSH 7.6)
- PermitRootLogin no
- PasswordAuthentication no (keys only)
- PubkeyAuthentication yes
- AllowGroups ssh-users admin-users
- Ciphers: chacha20-poly1305, aes256-gcm (remove CBC and RC4)
- MACs: hmac-sha2-512-etm, hmac-sha2-256-etm (ETM mode only)
- KexAlgorithms: curve25519-sha256, ecdh-sha2-nistp521
- MaxAuthTries 3, LoginGraceTime 30
- ClientAliveInterval 300, ClientAliveCountMax 2

Match block examples:
- Match Group admin: allow TCP forwarding, X11 forwarding
- Match Group sftp-only: ForceCommand internal-sftp, ChrootDirectory /data/sftp
- Match Address 192.168.0.0/16: relax cipher requirements for legacy internal clients

Also: fail2ban config for SSH brute-force protection + audit trail with pam_tty_audit.