SSH Hardening on Linux: What Most Tutorials Skip

Most tutorials on SSH hardening stop at changing the default port and blocking root access. Sure, that helps, but it barely scratches the surface. Attackers usually look for the less obvious misconfigurations to gain entry.
This isn't a beginner checklist. It assumes you already know your way around sshd_config, so let's skip the basics and look at what actually stops an attack.
Disable Password Authentication Entirely
Leaving password authentication enabled alongside SSH keys leaves the door open for credential stuffing. Once an attacker finds a valid username, they will brute-force it. Force public key authentication only.
PasswordAuthentication no
AuthenticationMethods publickey
Restrict Cryptographic Algorithms
Out of the box, SSH on many Linux distributions will happily negotiate weak, outdated algorithms. You need to explicitly define what is acceptable.
KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
Always run ssh -Q kex to verify what your current version supports before you edit.
Drop Idle Connections
An open but inactive session is an open door for anyone walking by. To drop dead or unresponsive connections, set a strict timeout rule in your sshd_config:
ClientAliveInterval 300
ClientAliveCountMax 2
This cuts unresponsive connections after 10 minutes. However, to drop a true idle session (when a user simply walks away from their keyboard), you need to enforce a shell timeout. Add this to your shell profile (e.g., /etc/profile or .bashrc):
TMOUT=600
readonly TMOUT
export TMOUT
Simple fix. Almost nobody does it.
Tighten Who Can Even Connect
System-level user management won't cut it. Use the native allowlist capabilities of sshd. While AllowUsers supports CIDR notation directly (AllowUsers deploy@192.168.1.0/24), a Match block is often cleaner for complex rules:
Match Address 192.168.1.0/24
AllowUsers deploy
IP wildcards like AllowUsers deploy@192.168.1.* work too. Same logic applies to AllowGroups.
Turn Off Unnecessary Forwarding
TCP and Agent forwarding are enabled by default. Turn them off. Leaving Agent forwarding running on a shared host is a massive risk — any remote process with root privileges can hijack your local SSH agent.
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Test Before You Reload
Never restart sshd blindly after making changes. Always validate the syntax first using root privileges:
sudo sshd -t
Keep your current SSH window open and start a new connection to test. Once you are sure the new configuration works, use reload instead of restart:
sudo systemctl reload sshd
Locking yourself out of your own remote box because of a typo is a headache you only want to experience once.