Enhance SSH security on frist boot

What steps can I include in a first boot script to enhance SSH security on my DietPi installation?
I want to make sure my SSH server is as secure as possible from the start, so ex. I don’t need to change port etc. every time

I was wondering if anyone of you had already made that script to hardening settings to SSH in the Automation_Custom_PreScript.sh file?
Please note: I’m using OpenSSH, not Dropbear. :disguised_face:

  1. change SSH port
  2. lock SSH login for user root
  3. use SSH keys instead of password login
1 Like

Thanks for the update, i could see if i use openssh i would need to add this this file right: /etc/ssh/sshd_config.d/dietpi.conf

I guess that is some of the settings you are refereeing too?

Would a script like this work:


Define the settings

PubkeyAuthentication yes
PasswordAuthentication no
UsePAM no
PermitRootLogin no
X11Forwarding no

Append the settings to the dietpi.conf file

echo “$settings” | sudo tee -a /etc/ssh/sshd_config.d/dietpi.conf > /dev/null

edit, I already set the id_ed25519 key(s) with dietpi.txt