When you first launch an Ubuntu server, cloud providers often give you a default Ubuntu user with SSH open on port 22. It’s convenient, but also predictable, and predictable accounts are prime targets for automated attacks.
In this Blog, we'll explore:
- Create a new admin user.
- Switch SSH to a non-default port.
- Enforce key-based login only.
- Restrict access to specific users.
- Delete default user
1. Create a New Admin User
We’ll replace the generic ubuntu account with our own, here called app.
# Create the user
sudo adduser app
# Add to the sudo (admin) group
sudo usermod -aG sudo app
Copy your SSH public key into this account so you can log in without a password:
sudo mkdir -p /home/app/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/app/.ssh/
sudo chown -R app:app /home/app/.ssh
sudo chmod 700 /home/app/.ssh
sudo chmod 600 /home/app/.ssh/authorized_keys
2. Change the SSH Port
Most brute-force bots scan port 22. Moving SSH to a higher port won’t stop determined attackers, but it will reduce random noise in your logs.
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
# find port and set
Port 2222
3. Harden SSH Settings
While still editing /etc/ssh/sshd_config, add or modify these lines:
PermitRootLogin no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
PasswordAuthentication no
ClientAliveInterval 3000
ClientAliveCountMax 0
AllowUsers app
What these do:
- PermitRootLogin no - root login is forbidden.
- MaxAuthTries 3 - after 3 failed attempts, the connection drops.
- MaxSessions 2 - limits simultaneous open SSH sessions per connection.
- TCPKeepAlive no - avoids lingering TCP connections.
- PasswordAuthentication no - passwords disabled; only SSH keys work.
- ClientAliveInterval / ClientAliveCountMax - idle sessions get disconnected after ~50 minutes.
- AllowUsers app - only the app account can log in.
4. Install and Update the Firewall
First, install UFW if it’s not already present:
sudo apt update
sudo apt install -y ufw
# Set a default-deny policy and allow outgoing connections:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Update Firewall Rules
# Allow new ssh port & remove old
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
# Allow HTTP and HTTPS traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
Enable the firewall:
sudo ufw enable
sudo ufw status verbose
Restart and Test
sudo sshd -t && sudo systemctl restart ssh
# From another terminal:
ssh -p 2222 app@your-server-ip
5. Retire the Default ubuntu User
Once the new account is confirmed working:
sudo deluser --remove-home ubuntu
(Alternatively, just lock it: sudo usermod --lock ubuntu)
Now Your Server:
- Runs SSH on port 2222 with key-only login.
- Only accepts logins from app.
- Blocks root login.
- Limits brute-force attempts.
- Has a firewall allowing only SSH (2222), HTTP (80), and HTTPS (443).
Top comments (0)