SSH is one of the most important services in Linux administration.
It allows administrators to remotely manage servers, deploy applications, troubleshoot systems, and maintain cloud infrastructure.
However, exposing SSH directly to the internet also makes it a common target for:
- brute-force attacks,
- password spraying,
- automated scanners,
- stolen credentials,
- unauthorized access attempts.
A default SSH installation is functional, but it is not always secure.
This guide shows practical steps to harden an OpenSSH server.
1. Update Your Linux Server First
Before changing SSH configuration, make sure your system is updated.
Debian / Ubuntu:
sudo apt update
sudo apt upgrade
Check your OpenSSH version:
ssh -V
Running outdated software increases the risk of known vulnerabilities.
2. Create a Dedicated Administrator Account
Avoid using root directly.
Create a new user:
sudo adduser admin
Add administrator privileges:
sudo usermod -aG sudo admin
Now connect using:
ssh admin@server-ip
and use:
sudo
for administrative tasks.
3. Disable Root Login
Open SSH configuration:
sudo nano /etc/ssh/sshd_config
Find:
PermitRootLogin yes
Change:
PermitRootLogin no
Restart SSH:
sudo systemctl restart ssh
Now attackers cannot attempt direct root authentication.
4. Use SSH Keys Instead of Passwords
Passwords are vulnerable to brute-force attacks.
Generate an SSH key:
ssh-keygen -t ed25519
Copy it to the server:
ssh-copy-id admin@server-ip
Test login:
ssh admin@server-ip
After successful authentication disable passwords:
PasswordAuthentication no
Restart SSH:
sudo systemctl restart ssh
Your server now accepts cryptographic authentication.
5. Change the Default SSH Port
The default SSH port is:
22
Changing it does not replace security controls, but it reduces automated scanning.
Edit:
sudo nano /etc/ssh/sshd_config
Example:
Port 2222
Update firewall:
sudo ufw allow 2222/tcp
Restart:
sudo systemctl restart ssh
6. Configure Firewall Rules
Do not expose unnecessary services.
Example using UFW:
Install:
sudo apt install ufw
Allow SSH:
sudo ufw allow 22/tcp
Enable firewall:
sudo ufw enable
Check:
sudo ufw status
For additional security, allow SSH only from trusted IP addresses:
sudo ufw allow from YOUR_IP to any port 22
7. Install Fail2Ban
Fail2Ban monitors authentication logs and blocks suspicious IP addresses.
Install:
sudo apt install fail2ban
Enable:
sudo systemctl enable fail2ban
Start:
sudo systemctl start fail2ban
Check status:
sudo fail2ban-client status sshd
8. Limit SSH Users
Not every Linux user needs remote access.
Restrict SSH:
AllowUsers admin
or:
AllowGroups sshusers
This reduces the attack surface.
9. Disable Empty Passwords
Never allow passwordless accounts.
In:
/etc/ssh/sshd_config
set:
PermitEmptyPasswords no
10. Improve SSH Cryptography
Modern OpenSSH supports strong encryption algorithms.
Example configuration:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512,hmac-sha2-256
Avoid outdated algorithms whenever possible.
11. Monitor SSH Logs
Security requires visibility.
Check authentication events:
Debian / Ubuntu:
sudo journalctl -u ssh
or:
sudo cat /var/log/auth.log
Look for:
- repeated login failures,
- unknown usernames,
- unusual login times,
- unexpected successful sessions.
12. Add Multi-Factor Authentication
SSH keys are strong, but MFA provides another security layer.
Possible solutions:
- TOTP applications,
- hardware security keys,
- FIDO2 devices.
For critical servers, MFA should be considered mandatory.
SSH Hardening Checklist
Before exposing a Linux server:
✅ Update OpenSSH
✅ Disable root login
✅ Use SSH keys
✅ Disable password authentication
✅ Configure firewall
✅ Install Fail2Ban
✅ Restrict SSH users
✅ Remove weak algorithms
✅ Monitor logs
✅ Enable MFA
Final Thoughts
SSH is not insecure by design.
Most successful attacks happen because of:
- weak passwords,
- poor configuration,
- outdated systems,
- excessive permissions.
A hardened SSH configuration is one of the first steps in building a secure Linux server.
Security is not a single setting. It is a continuous process of improving, monitoring, and reducing risk.
About NetBe
NetBe publishes practical guides about Linux administration, cybersecurity, server hardening, cloud computing, and modern infrastructure.
More technical articles:
Top comments (0)