# SSH Security Configuration – Key Variables

This document provides a **concise explanation** of the main SSH security variables used during the initial hardening of an Ubuntu Server.

The goal is **not to teach SSH**, but to document:
- What each variable does
- Where it is defined
- What action is required (uncomment / modify)

---

## Configuration File Location

All the variables below are defined in the SSH daemon configuration file:

/etc/ssh/sshd_config



To edit it:

```bash
sudo nano /etc/ssh/sshd_config
```


⚠️ Important:
Variables starting with # are commented and not active.
They must be uncommented (remove #) to take effect.


### SSH Variables Overview
#### LoginGraceTime

```bash
#LoginGraceTime 2m

```
Purpose:
Defines how long a client has to authenticate before the connection is closed.

Recommended value:
```bash
LoginGraceTime 30s

```
---
PermitRootLogin

```bash
#PermitRootLogin prohibit-password
```
Purpose:
Controls whether the root user can log in via SSH.

Values:

+ yes → Allows root login (not recommended)

+ prohibit-password → Root allowed only with SSH keys

+ no → Root login completely disabled

Recommended value:

```bash
PermitRootLogin no
```
---
StrictModes

```bash
#StrictModes yes
```
Purpose:
Enforces correct ownership and permissions on SSH-related files (e.g. .ssh/).

Recommended value:
```bash
StrictModes yes

```
---

MaxAuthTries

```bash
#MaxAuthTries 6
```
Purpose:
Limits the number of authentication attempts per connection.

Recommended value:
```bash
MaxAuthTries 3
```
---

MaxSessions

```bash
#MaxSessions 10
```
Purpose:
Defines the maximum number of simultaneous SSH sessions per connection.

Recommended value:
```bash
MaxSessions 3
```

### Applying Changes

After modifying the configuration:

Validate syntax:

```bash
sudo sshd -t
```
Restart SSH:
```bash
sudo systemctl restart ssh
```

⚠️ Always keep an active SSH session open while testing changes.

Notes

+ These settings do not expose the server to the internet

+ They only affect SSH behavior

+ Access is still controlled by firewall and network topology

+ Root access remains available locally and via sudo