my users dotfiles + some other useful server config files
do not forget to set the permissions for sshd_config.local to read-write for root only when installed.
chown 0:0 /etc/ssh/sshd_config*
chmod 0640 /etc/ssh/sshd_config*
-
Our custom sshd configuration does not bind to IPv6 addresses.
For jails it cuts off SSH reachability completely, but not for host computer.
To protect the host computer you need to block SSH port on switch and/or state-firewall it. -
In order to get then to the computer remotely over SSH you need to set up a VPN.
-
But remember that a VPN can fail too, so it would be nice to have it redundant
(OpenVPN + gif tunnel to a different secured system). -
Now even Microsoft (Azure) does NOT recommend having SSH port on the Internet.
We are using raya group (but you may name it whatever you want) for allowing users to log in.
Remember that for host systems you need at least 2 users in that group.
Best add one user into recovery group who does NOT use a shell from ports.