Disclaimer: Your mileage may vary. Rigorous testing (e.g. pen-testing) is recommended to validate that your config behaves according to your use cases, that it is secure, locked down and not exploitable.
The following configs provide a "secure by default" configuration for sshd
and enforces MFA authentication from public ip space.
A screencast walking-through and demonstrating the configuration has been posted on YouTube here: https://youtu.be/m_MCVm79xyY
In theory, the strategy/concept and configuration should work on most distros running sshd
. The screencast was recorded on an instance of Debian 12 aka bookworm. OpenSSH_9.2, OpenSSL 3.0.9.