Hardening SSH on Ubuntu: Custom Admin User and Locking Down Access

When you first launch an Ubuntu server, cloud providers often give you a default Ubuntu user with SSH open on port 22. It’s convenient, but also predictable, and predictable accounts are prime targets for automated attacks.

In this Blog, we'll explore:

1. Create a new admin user.
2. Switch SSH to a non-default port.
3. Enforce key-based login only.
4. Restrict access to specific users.
5. Delete default user

1. Create a New Admin User

We’ll replace the generic ubuntu account with our own, here called app.

# Create the user
sudo adduser app

# Add to the sudo (admin) group
sudo usermod -aG sudo app

Copy your SSH public key into this account so you can log in without a password:

sudo mkdir -p /home/app/.ssh
sudo cp /home/ubuntu/.ssh/authorized_keys /home/app/.ssh/
sudo chown -R app:app /home/app/.ssh
sudo chmod 700 /home/app/.ssh
sudo chmod 600 /home/app/.ssh/authorized_keys

2. Change the SSH Port

Most brute-force bots scan port 22. Moving SSH to a higher port won’t stop determined attackers, but it will reduce random noise in your logs.
Edit the SSH config:

sudo nano /etc/ssh/sshd_config

# find port and set
Port 2222

3. Harden SSH Settings

While still editing /etc/ssh/sshd_config, add or modify these lines:

PermitRootLogin no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
PasswordAuthentication no
ClientAliveInterval 3000
ClientAliveCountMax 0
AllowUsers app

What these do:

• PermitRootLogin no - root login is forbidden.
• MaxAuthTries 3 - after 3 failed attempts, the connection drops.
• MaxSessions 2 - limits simultaneous open SSH sessions per connection.
• TCPKeepAlive no - avoids lingering TCP connections.
• PasswordAuthentication no - passwords disabled; only SSH keys work.
• ClientAliveInterval / ClientAliveCountMax - idle sessions get disconnected after ~50 minutes.
• AllowUsers app - only the app account can log in.

4. Install and Update the Firewall

First, install UFW if it’s not already present:

sudo apt update
sudo apt install -y ufw

# Set a default-deny policy and allow outgoing connections:
sudo ufw default deny incoming
sudo ufw default allow outgoing

Update Firewall Rules

# Allow new ssh port & remove old
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

# Allow HTTP and HTTPS traffic
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Enable the firewall:

sudo ufw enable
sudo ufw status verbose

Restart and Test

sudo sshd -t && sudo systemctl restart ssh

# From another terminal:
ssh -p 2222 app@your-server-ip

5. Retire the Default ubuntu User

Once the new account is confirmed working:

sudo deluser --remove-home ubuntu

(Alternatively, just lock it: sudo usermod --lock ubuntu)

Now Your Server:

• Runs SSH on port 2222 with key-only login.
• Only accepts logins from app.
• Blocks root login.
• Limits brute-force attempts.
• Has a firewall allowing only SSH (2222), HTTP (80), and HTTPS (443).