SSHD Important parameters SSH is a very essential UNIX service for securely logging in. Except logging, it is widely used for remote command execution so it is vital for automation world We will try to examine some important parameters of sshd_config 1- MAXSTARTUPS For example Ansible uses SSH at background and many simultaneous Ansible jobs can run over SSH. You may start increasingly getting below error at your scripts ssh_exchange_identification: Connection closed by remote host If you know that there is no reason for closing connection due to a "firewall drop" or "ssh daemon config drop" It can be result of maximum SSHD daemon startup limit. We lived this problem and solution was increasing MaxStartups parameter, i think it is an important parameter to examine. [root@server1 ~]# grep MaxStartup /etc/ssh/sshd_config #MaxStartups 10:30:100 default MaxStartups 20:10:200 we changed it [root@server1 ~]# 2- BANNER It may seem stupid but sometimes you remove SSH Banner and some vendor given not-working scripts starts finishing successfully. We lived this issue with SAS installations and Oracle BDA installations many times. If someone writes EXPECT script, Banner CHANGES what is EXPECTED, so OUTPUT also differs or script may not work. So you may temporarily disable BANNER when some scripts does not work 3- BRUTE FORCE PREVENTION Disable logging with passwords, use keys,certificates etc. This way you will make a big improvement to prevent dictionary brute-force attacks. Also use secure Cipher,MACs,KexAlgorithms. MaxAuthTries may also be a good option. PermitRootLogin without-password KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-md5,hmac-md5-96,hmac-sha1-96 HostbasedAcceptedKeyTypes ssh-dss,ssh-rsa HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss MaxAuthTries 2 4- DISABLE REVERSE PORT FORWARDING SSH can be used to bypass corporate firewalls with its revers port forwarding feature. This feature is also called "Poor Man's VPN". You can examine internet and find detailed information about it. Disabling it is important. To disable it, below 2 parameters ( AllowTCPForwarding & GatewayPorts) must always be disabled. AllowTCPForwarding no GatewayPorts no 5- DISABLE DNS FOR FASTER LOGGING. For security reasons, SSHD also controls reverse DNS records for incoming IP. You can disable it with "UseDNS no", it fastens logging time. UseDNS no 6- DISABLE LOGGING FOR SERVICE USERS. Service users may be member of a group called "nologin". You can prevent their logging from SSH with DenyGroups keyword. DenyGroups nologin 7 - KEEPALIVE FOR SSH Below configs may be good to prevent firewalls dropping idle sessions immediately. Below configs sends alive messages per 600 seconds ( = 10 minutes ), but makes this for maximum 3 times. So, we are sure that idle sessions will not be dropped for 30 minutes. Dropping idle sessions is an important security feature but this must no occur so sudden, it may be needed. TCPKeepAlive yes ClientAliveInterval 600 ClientAliveCountMax 3