# Step 4: Securing OpenSSH

⚠️ Before continuing: This will make login via password impossible. If you lose your SSH key, you will lose access to your server and it will require a reinstallation.

The OpenSSH server configuration should be located at `/etc/ssh/sshd_config` but we aren't going to edit this file. We are going to create a new file at `/etc/ssh/sshd_config.d/hardening.conf`. (add video)

```
X11Forwarding no

AllowAgentForwarding no

PermitEmptyPasswords no

MaxAuthTries 3

# NOTE: this will disable password authentication entirely! Setup SSH keys before applying this config!
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no

Protocol 2
```

Now to apply these settings, we need to restart the ssh server with: `sudo systemctl restart sshd`, and voilà!