- [ ] Sécuriser serveur selon 
  - Use strong ciphers and algorithms. Although recent versions of OpenSSH support strong algorithms, ensure that CHACHA20 and curve25519 are preferred to ensure the safest cryptographic operation. [https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/](https://goteleport.com/blog/security-hardening-ssh-bastion-best-practices/)
    - Voir: [encryption - How to disable weak ciphers in SSH? - Unix & Linux Stack Exchange](https://unix.stackexchange.com/questions/333728/how-to-disable-weak-ciphers-in-ssh)
- [ ] two factor
  - Probably the simplest yet most effective control is to implement a second factor authentication in your SSH server. Google’s Google Authenticator PAM module is the popular choice. But it only supports TOTP-based authentication. For more robust authentication, opt for solutions that enable authentication based on [U2F](https://www.yubico.com/authentication-standards/fido-u2f/) or [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) for SSH.
  


## Fail2ban

https://github.com/fail2ban/fail2ban/issues/3567#issuecomment-2625933592

I applied your workaround to my `jail.local` in the first time and here is what I got:

```
While reading from '/etc/fail2ban/jail.local' [line 272]: option 'backend' in section 'sshd' already exists
```

So I had to investigate further and _tried_ to understand what happened, trying not to break my current configuration (`backend = %(sshd_backend)s`). And as I am conservative and tried to keep the "Debian" configuration, the workaround I found was the one mentioned.

And I _tried_ to share this, not to be awarded in any positive or negative manner, but _trying_ to help.

So in one word: the workaround you gave did not sound so good to me, and the fact that fail2ban has to be tweaked before it can start at once on Debian did not help me to be confident in your solution. And the way you answer to people did not help either.


---


I applied your workaround to my `jail.local` in the first time and it did not work at once.

So I had to investigate further and _tried_ to understand what happened, trying not to break my current configuration (`backend = %(sshd_backend)s`). And as I am conservative and tried to keep the "Debian" configuration, the workaround I found was the one mentioned.

And I _tried_ to share this, not to be awarded in any positive or negative manner, but _trying_ to help.

So in one word: the workaround you gave did not sound so good to me, and the fact that fail2ban has to be tweaked before it can start at once on Debian did not help me to be confident in your solution.

The way you answered to people did not help either.

It is always important to understand that people are not machines which just behave like computers. And why