The latest articles on DEV Community by Soumitra Roy (@sou). https://dev.to/sou https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3956538%2F0c828128-5bac-4e77-a114-66d69597ee71.png https://dev.to/sou en Soumitra Roy Thu, 28 May 2026 14:23:15 +0000 https://dev.to/sou/ssh-hardening-on-linux-what-most-tutorials-skip-3585 https://dev.to/sou/ssh-hardening-on-linux-what-most-tutorials-skip-3585 <p>Most tutorials on SSH hardening stop at changing the default port and blocking root access. Sure, that helps, but it barely scratches the surface. Attackers usually look for the less obvious misconfigurations to gain entry.<br> This isn't a beginner checklist. It assumes you already know your way around sshd_config, so let's skip the basics and look at what actually stops an attack.<br> Disable Password Authentication Entirely<br> Leaving password authentication enabled alongside SSH keys leaves the door open for credential stuffing. Once an attacker finds a valid username, they will brute-force it. Force public key authentication only.<br> PasswordAuthentication no<br> AuthenticationMethods publickey<br> Restrict Cryptographic Algorithms<br> Out of the box, SSH on many Linux distributions will happily negotiate weak, outdated algorithms. You need to explicitly define what is acceptable.<br> KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512<br> Ciphers <a href="mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a>,<a href="mailto:aes256-gcm@openssh.com">aes256-gcm@openssh.com</a><br> MACs <a href="mailto:hmac-sha2-512-etm@openssh.com">hmac-sha2-512-etm@openssh.com</a><br> Always run ssh -Q kex to verify what your current version supports before you edit.<br> Drop Idle Connections<br> An open but inactive session is an open door for anyone walking by. To drop dead or unresponsive connections, set a strict timeout rule in your sshd_config:<br> ClientAliveInterval 300<br> ClientAliveCountMax 2<br> This cuts unresponsive connections after 10 minutes. However, to drop a true idle session (when a user simply walks away from their keyboard), you need to enforce a shell timeout. Add this to your shell profile (e.g., /etc/profile or .bashrc):<br> TMOUT=600<br> readonly TMOUT<br> export TMOUT<br> Simple fix. Almost nobody does it.<br> Tighten Who Can Even Connect<br> System-level user management won't cut it. Use the native allowlist capabilities of sshd. While AllowUsers supports CIDR notation directly (AllowUsers <a href="mailto:deploy@192.168.1.0">deploy@192.168.1.0</a>/24), a Match block is often cleaner for complex rules:<br> Match Address 192.168.1.0/24<br> AllowUsers deploy<br> IP wildcards like AllowUsers <a href="mailto:deploy@192.168.1">deploy@192.168.1</a>.* work too. Same logic applies to AllowGroups.<br> Turn Off Unnecessary Forwarding<br> TCP and Agent forwarding are enabled by default. Turn them off. Leaving Agent forwarding running on a shared host is a massive risk — any remote process with root privileges can hijack your local SSH agent.<br> AllowAgentForwarding no<br> AllowTcpForwarding no<br> X11Forwarding no<br> Test Before You Reload<br> Never restart sshd blindly after making changes. Always validate the syntax first using root privileges:<br> sudo sshd -t<br> Keep your current SSH window open and start a new connection to test. Once you are sure the new configuration works, use reload instead of restart:<br> sudo systemctl reload sshd<br> Locking yourself out of your own remote box because of a typo is a headache you only want to experience once.</p> security linux devops tutorial