This is a small tutorial for a secure SSH server. Although SSH servers are very secure, the default configuration is not always the best practice.
Replace the file /etc/ssh/sshd_config with the content below:
Protocol 2 AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitRootLogin no AllowTcpForwarding no X11Forwarding no Subsystem sftp /usr/libexec/sftp-server KexAlgorithms email@example.com HostKey /etc/ssh/ssh_host_ed25519_key Ciphers firstname.lastname@example.org,aes256-ctr MACs email@example.com,firstname.lastname@example.org AllowUsers yourusername anotherusername
This will deny almost everything. Especially clear password login's are forbidden and only allowed users may login. Together with only allowing elliptic curve and special ciphers, SSH scanners on the internet have a hard time. Most scanners only use old ciphers and MACs, so it's not going to work. The AllowUser option make sure you don't allow a system user access by accident. If you want to give a user some more right, add the options below and change to your own needs. This example allows a user to login and make a portforward to the local port 80 without getting a shell.
Match User yourusername AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no AllowAgentForwarding no PermitOpen localhost:80 ForceCommand read -p "Press enter to exit"
After changing the configuration, restart your server. Especially, restart from the console, not over an SSH connection. Normally your old connection should stay alive over a restart, but you never know...
service sshd restart
You can make a secure SSH key on your client (NOT on the server!!!) by the next command:
ssh-keygen -t ed25519
You can find your public key in ~/.ssh/id_ed25519.pub. Copy the content to your server in the file ~/.ssh/authorized_keys. Now you can make a SSH connection to your secure SSH server.