1 PermitRootLogin shall be disabled (aka 'no') or at least reasonably restricted
2 ('without-password', 'forced-commands-only').
5 ChrootDirectory jails the user into a separate environment
7 ForceCommand might help (especially with internal-sftp) to further limit possibilities of
8 a remote use. rssh might be used as a shell to achieve similar behaviour.
11 # We recommend to use a high and non-standard port for SSH. Test it against nmap defaults that it does not get detected