It’s hardening Sunday: I reviewed the configuration files of my main daemons (nginx, openvpn, tinc, sshd) with the help of two resources I want to share.
First, a guide dedicated exclusively to hardening SSH: it covers everything from enforcing public key authentication to selecting the right ciphers. There’s solid theory behind the cipher recommendations; worth reading, not just copying.
Second, a guide for hardening all services, from web servers to VPN concentrators, organized by vendor. Every option is well-documented and discussed in depth, exactly the kind of resource you want before making changes in production.
My advice: set aside two hours, read the theory, then selectively apply the changes that make sense for your setup. Don’t blindly copy defaults. Happy hardening!
Update for macOS users: if you are on macOS, do not use the SSH toolset that ships with the OS: it lags significantly behind upstream. It may lack ssh-copy-id and support for modern key exchange algorithms like ECDSA. Install a current version via Homebrew:
brew install openssh
Then ensure /opt/homebrew/bin (or /usr/local/bin on Intel Macs) comes before /usr/bin in your PATH.