sshd config which passes A+ validation https://www.ssh-audit.com
/etc/ssh/sshd_config
#Port 22
#ListenAddress 0.0.0.0
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 2m
StrictModes yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AllowAgentForwarding no
AllowTcpForwarding no
AllowStreamLocalForwarding no
DisableForwarding yes
GatewayPorts no
PermitTunnel no
PrintMotd no
UsePAM no
ChallengeResponseAuthentication no
MaxAuthTries 3
PermitEmptyPasswords no
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-ed25519
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
ClientAliveCountMax 2
ClientAliveInterval 300
#Compression no
IgnoreRhosts yes
MaxSessions 2
Protocol 2
Subsystem sftp internal-sftp
TCPKeepAlive no
UseDNS no
my git repo with cfg