SSH Hardening Generator

A simple, open-source, client-side tool to generate a hardened sshd_config for an OpenSSH server. Nothing leaves your browser.

Home | Links | Notes | Toolkit | Contact

Access Port:

Root login:

Allow only these users (space-separated, optional):

Authentication Allow public-key authentication

Allow password authentication (leave off for key-only)

Max auth tries:

Login grace time (seconds):

Session & forwarding Allow X11 forwarding

TCP forwarding:

Idle timeout (ClientAliveInterval seconds, optional):

Cryptography Restrict to modern, strong algorithms (recommended)

FAQs

What is this site?

This site builds a hardened sshd_config for the OpenSSH server based on common best practices, entirely in your browser.

Will this lock me out?

It can if you are not careful. If you disable password authentication, make sure your SSH key works first. Always keep an existing session open and test a new login before closing it, so you can roll back if something is wrong.

What does "modern algorithms only" do?

It restricts key exchange, ciphers, MACs, and host-key algorithms to current strong choices (curve25519, ChaCha20-Poly1305, AES-GCM, Ed25519, and so on), dropping older and weaker options. Very old clients may not connect.

Do you log anything I enter?

No. This site is a static page that runs entirely client-side. Nothing you enter is sent anywhere, so it works offline.

Is this site open source?

Yes! You can find the full source code on GitHub.

Disclaimer: This tool is provided "as is" with no warranties. Review the generated configuration and keep a fallback session open before applying it to a remote server.