DEV Community

Marek „Netbe” Lampart
Marek „Netbe” Lampart

Posted on

Hardening SSH Server on Linux: A Practical Security Guide

SSH is one of the most important services in Linux administration.

It allows administrators to remotely manage servers, deploy applications, troubleshoot systems, and maintain cloud infrastructure.

However, exposing SSH directly to the internet also makes it a common target for:

  • brute-force attacks,
  • password spraying,
  • automated scanners,
  • stolen credentials,
  • unauthorized access attempts.

A default SSH installation is functional, but it is not always secure.

This guide shows practical steps to harden an OpenSSH server.


1. Update Your Linux Server First

Before changing SSH configuration, make sure your system is updated.

Debian / Ubuntu:

sudo apt update
sudo apt upgrade
Enter fullscreen mode Exit fullscreen mode

Check your OpenSSH version:

ssh -V
Enter fullscreen mode Exit fullscreen mode

Running outdated software increases the risk of known vulnerabilities.


2. Create a Dedicated Administrator Account

Avoid using root directly.

Create a new user:

sudo adduser admin
Enter fullscreen mode Exit fullscreen mode

Add administrator privileges:

sudo usermod -aG sudo admin
Enter fullscreen mode Exit fullscreen mode

Now connect using:

ssh admin@server-ip
Enter fullscreen mode Exit fullscreen mode

and use:

sudo
Enter fullscreen mode Exit fullscreen mode

for administrative tasks.


3. Disable Root Login

Open SSH configuration:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Find:

PermitRootLogin yes
Enter fullscreen mode Exit fullscreen mode

Change:

PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode

Restart SSH:

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Now attackers cannot attempt direct root authentication.


4. Use SSH Keys Instead of Passwords

Passwords are vulnerable to brute-force attacks.

Generate an SSH key:

ssh-keygen -t ed25519
Enter fullscreen mode Exit fullscreen mode

Copy it to the server:

ssh-copy-id admin@server-ip
Enter fullscreen mode Exit fullscreen mode

Test login:

ssh admin@server-ip
Enter fullscreen mode Exit fullscreen mode

After successful authentication disable passwords:

PasswordAuthentication no
Enter fullscreen mode Exit fullscreen mode

Restart SSH:

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Your server now accepts cryptographic authentication.


5. Change the Default SSH Port

The default SSH port is:

22
Enter fullscreen mode Exit fullscreen mode

Changing it does not replace security controls, but it reduces automated scanning.

Edit:

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Example:

Port 2222
Enter fullscreen mode Exit fullscreen mode

Update firewall:

sudo ufw allow 2222/tcp
Enter fullscreen mode Exit fullscreen mode

Restart:

sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

6. Configure Firewall Rules

Do not expose unnecessary services.

Example using UFW:

Install:

sudo apt install ufw
Enter fullscreen mode Exit fullscreen mode

Allow SSH:

sudo ufw allow 22/tcp
Enter fullscreen mode Exit fullscreen mode

Enable firewall:

sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

Check:

sudo ufw status
Enter fullscreen mode Exit fullscreen mode

For additional security, allow SSH only from trusted IP addresses:

sudo ufw allow from YOUR_IP to any port 22
Enter fullscreen mode Exit fullscreen mode

7. Install Fail2Ban

Fail2Ban monitors authentication logs and blocks suspicious IP addresses.

Install:

sudo apt install fail2ban
Enter fullscreen mode Exit fullscreen mode

Enable:

sudo systemctl enable fail2ban
Enter fullscreen mode Exit fullscreen mode

Start:

sudo systemctl start fail2ban
Enter fullscreen mode Exit fullscreen mode

Check status:

sudo fail2ban-client status sshd
Enter fullscreen mode Exit fullscreen mode

8. Limit SSH Users

Not every Linux user needs remote access.

Restrict SSH:

AllowUsers admin
Enter fullscreen mode Exit fullscreen mode

or:

AllowGroups sshusers
Enter fullscreen mode Exit fullscreen mode

This reduces the attack surface.


9. Disable Empty Passwords

Never allow passwordless accounts.

In:

/etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

set:

PermitEmptyPasswords no
Enter fullscreen mode Exit fullscreen mode

10. Improve SSH Cryptography

Modern OpenSSH supports strong encryption algorithms.

Example configuration:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com

MACs hmac-sha2-512,hmac-sha2-256
Enter fullscreen mode Exit fullscreen mode

Avoid outdated algorithms whenever possible.


11. Monitor SSH Logs

Security requires visibility.

Check authentication events:

Debian / Ubuntu:

sudo journalctl -u ssh
Enter fullscreen mode Exit fullscreen mode

or:

sudo cat /var/log/auth.log
Enter fullscreen mode Exit fullscreen mode

Look for:

  • repeated login failures,
  • unknown usernames,
  • unusual login times,
  • unexpected successful sessions.

12. Add Multi-Factor Authentication

SSH keys are strong, but MFA provides another security layer.

Possible solutions:

  • TOTP applications,
  • hardware security keys,
  • FIDO2 devices.

For critical servers, MFA should be considered mandatory.


SSH Hardening Checklist

Before exposing a Linux server:

✅ Update OpenSSH
✅ Disable root login
✅ Use SSH keys
✅ Disable password authentication
✅ Configure firewall
✅ Install Fail2Ban
✅ Restrict SSH users
✅ Remove weak algorithms
✅ Monitor logs
✅ Enable MFA


Final Thoughts

SSH is not insecure by design.

Most successful attacks happen because of:

  • weak passwords,
  • poor configuration,
  • outdated systems,
  • excessive permissions.

A hardened SSH configuration is one of the first steps in building a secure Linux server.

Security is not a single setting. It is a continuous process of improving, monitoring, and reducing risk.


About NetBe

NetBe publishes practical guides about Linux administration, cybersecurity, server hardening, cloud computing, and modern infrastructure.

More technical articles:

https://netbe.pl

Top comments (0)