feat: Add backup and security hardening

scripts/security-setup/sshd_config.hardened

@@ -0,0 +1,72 @@
+# Hardened SSH configuration for Gentoo workstation
+# Place in /etc/ssh/sshd_config.d/hardening.conf (or merge into main config)
+
+# Network
+Port 22
+AddressFamily any
+ListenAddress 0.0.0.0
+ListenAddress ::
+
+# Protocol
+Protocol 2
+
+# Host keys (prefer modern algorithms)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# Ciphers and keying
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+
+# Logging
+SyslogFacility AUTH
+LogLevel VERBOSE
+
+# Authentication
+LoginGraceTime 30
+PermitRootLogin no
+StrictModes yes
+MaxAuthTries 3
+MaxSessions 5
+
+# Public key authentication
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+# Password authentication (disable for key-only)
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+# Challenge-response authentication
+KbdInteractiveAuthentication no
+ChallengeResponseAuthentication no
+
+# PAM
+UsePAM yes
+
+# Disable insecure features
+PermitUserEnvironment no
+HostbasedAuthentication no
+IgnoreRhosts yes
+X11Forwarding no
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+Compression no
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# Subsystems
+Subsystem sftp /usr/lib64/misc/sftp-server
+
+# Connection settings
+ClientAliveInterval 300
+ClientAliveCountMax 2
+
+# Allow only specific users (uncomment and customize)
+# AllowUsers alexander
+
+# Deny specific users
+# DenyUsers root nobody