If your server is connected to the internet, automated bots are already trying to access it.
One of the easiest ways to improve server security is to stop relying on passwords and switch to SSH keys. Combined with Fail2ban, this can drastically reduce the risk of brute force attacks.
In this guide, we'll secure SSH on Ubuntu 26.04 by:
- Using SSH key authentication
- Disabling root login
- Disabling password authentication
- Installing Fail2ban
Introduction
Password based SSH logins are a common target for automated attacks.
Even strong passwords can eventually become a liability, especially when attackers can attempt thousands of logins from different IP addresses.
SSH keys provide a much stronger authentication method, while Fail2ban automatically blocks repeated login failures.
Step 1: Update the Server
sudo apt update
sudo apt upgrade -y
Step 2: Generate an SSH Key Pair
On your local computer:
ssh-keygen -t ed25519 -C "ubuntu-server"
Accept the default location and optionally set a passphrase.
This creates:
~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub
Step 3: Copy the Public Key to the Server
ssh-copy-id username@server_ip
Example:
ssh-copy-id admin@203.0.113.10
Step 4: Verify Key Authentication
Open a new terminal window and connect:
ssh username@server_ip
If login works without asking for the server password, SSH keys are working correctly.
Keep your existing SSH session open until testing is complete.
Step 5: Create a Custom SSH Security Configuration
Ubuntu 26.04 supports configuration snippets through the sshd_config.d directory.
Create a new file:
sudo nano /etc/ssh/sshd_config.d/99-security.conf
Add:
Port 52525
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Note: We have set PermitRootLogin no be caution with that. You need to have normal user access. We are changing SSH port number, add it in firewall first.
Step 6: Validate the Configuration
Before restarting SSH:
sudo sshd -t
If no output appears, the configuration is valid.
Step 7: Restart SSH
sudo systemctl restart ssh
Verify status:
sudo systemctl status ssh
Test SSH access from another terminal:
ssh username@server_ip
Password authentication should no longer work.
Step 8: Install Fail2ban
Install Fail2ban:
sudo apt install fail2ban -y
Enable and start the service:
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Check status:
sudo systemctl status fail2ban
Step 9: Configure Fail2ban
Create a local configuration file:
sudo nano /etc/fail2ban/jail.local
Add:
[sshd]
enabled = true
port = ssh
backend = systemd
maxretry = 5
findtime = 10m
bantime = 1h
Restart Fail2ban:
sudo systemctl restart fail2ban
Step 10: Verify Protection
View active jails:
sudo fail2ban-client status
View SSH jail details:
sudo fail2ban-client status sshd
Monitoring SSH Activity
View SSH logs:
sudo journalctl -u ssh -f
View Fail2ban activity:
sudo journalctl -u fail2ban -f
Final Checklist
Before considering your SSH setup secure, verify:
- SSH keys are working
- Root login is disabled
- Password authentication is disabled
- SSH configuration validates successfully
- Fail2ban is running
- Updates are installed regularly
Conclusion
SSH is one of the most exposed services on a Linux server, making it a frequent target for automated attacks.
By switching to SSH keys, disabling password authentication, and deploying Fail2ban, you add several layers of protection with very little effort.
These changes take only a few minutes to implement but can significantly improve the security of any Ubuntu 26.04 server.
Originally published on HostnExtra.
We regularly publish practical guides on Linux administration, dedicated servers, networking, infrastructure security, and hosting performance.
Read the full version here:
Secure SSH on Ubuntu 26.04 with Key Authentication and Fail2ban - HostnExtra
Learn how to secure SSH on Ubuntu 26.04 using SSH key authentication and Fail2ban. Disable password logins, block brute force attacks, and strengthen your server security.
hostnextra.com
Top comments (0)