DEV Community

AJAYA SHRESTHA
AJAYA SHRESTHA

Posted on

Hardening SSH on Ubuntu: Custom Admin User and Locking Down Access

When you first launch an Ubuntu server, cloud providers often give you a default Ubuntu user with SSH open on port 22. It’s convenient, but also predictable, and predictable accounts are prime targets for automated attacks.

In this Blog, we'll explore:

  1. Create a new admin user.
  2. Switch SSH to a non-default port.
  3. Enforce key-based login only.
  4. Restrict access to specific users.
  5. Delete default user

1. Create a New Admin User

We’ll replace the generic ubuntu account with our own, here called app.

# Create the user
sudo adduser app

# Add to the sudo (admin) group
sudo usermod -aG sudo app
Enter fullscreen mode Exit fullscreen mode

Copy your SSH public key into this account so you can log in without a password:

sudo mkdir -p /home/app/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/app/.ssh/
sudo chown -R app:app /home/app/.ssh
sudo chmod 700 /home/app/.ssh
sudo chmod 600 /home/app/.ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

2. Change the SSH Port

Most brute-force bots scan port 22. Moving SSH to a higher port won’t stop determined attackers, but it will reduce random noise in your logs.
Edit the SSH config:

sudo nano /etc/ssh/sshd_config

# find port and set
Port 2222
Enter fullscreen mode Exit fullscreen mode

3. Harden SSH Settings

While still editing /etc/ssh/sshd_config, add or modify these lines:

PermitRootLogin no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
PasswordAuthentication no
ClientAliveInterval 3000
ClientAliveCountMax 0
AllowUsers app
Enter fullscreen mode Exit fullscreen mode

What these do:

  • PermitRootLogin no - root login is forbidden.
  • MaxAuthTries 3 - after 3 failed attempts, the connection drops.
  • MaxSessions 2 - limits simultaneous open SSH sessions per connection.
  • TCPKeepAlive no - avoids lingering TCP connections.
  • PasswordAuthentication no - passwords disabled; only SSH keys work.
  • ClientAliveInterval / ClientAliveCountMax - idle sessions get disconnected after ~50 minutes.
  • AllowUsers app - only the app account can log in.

4. Install and Update the Firewall

First, install UFW if it’s not already present:

sudo apt update
sudo apt install -y ufw

# Set a default-deny policy and allow outgoing connections:
sudo ufw default deny incoming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

Update Firewall Rules

# Allow new ssh port & remove old
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

# Allow HTTP and HTTPS traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enter fullscreen mode Exit fullscreen mode

Enable the firewall:

sudo ufw enable
sudo ufw status verbose
Enter fullscreen mode Exit fullscreen mode

Restart and Test

sudo sshd -t && sudo systemctl restart ssh

# From another terminal:
ssh -p 2222 app@your-server-ip
Enter fullscreen mode Exit fullscreen mode

5. Retire the Default ubuntu User

Once the new account is confirmed working:

sudo deluser --remove-home ubuntu
Enter fullscreen mode Exit fullscreen mode

(Alternatively, just lock it: sudo usermod --lock ubuntu)

Now Your Server:

  • Runs SSH on port 2222 with key-only login.
  • Only accepts logins from app.
  • Blocks root login.
  • Limits brute-force attempts.
  • Has a firewall allowing only SSH (2222), HTTP (80), and HTTPS (443).

Top comments (0)