Contrary to what many tutorials suggest, simply changing the SSH port or installing Fail2Ban is not enough. This documentation shows the exact steps to harden the security of an Ubuntu/Debian server by configuring key-based authentication, disabling insecure defaults, and reducing the attack surface.
Author: joaoprd | joaopedrord2001@gmail.com
Create a Secure Administrator User
Create a user with sudo privileges:
adduser whiterose
usermod -aG sudo whiterose
The user whiterose will be the only one authorized to connect via SSH after hardening.
Generate Public Key and Manually Configure SSH Login
Public key authentication avoids the use of passwords and is essential for a secure server. This step will be done manually, without using ssh-copy-id.
On the Client
Generate the RSA key pair (if it doesn’t already exist):
ssh-keygen -t rsa -b 4096 -C "whiterose@server"
Press Enter to accept the default path (~/.ssh/id_rsa) and, if desired, set a passphrase for the private key.
The generated keys:
Private: ~/.ssh/id_rsa → must never leave the client
Public: ~/.ssh/id_rsa.pub → will be copied to the server
Display the contents of the public key:
cat ~/.ssh/id_rsa.pub
Copy the displayed content (starts with ssh-rsa).
On the Server
Create the .ssh directory for the user whiterose (if it doesn’t exist):
sudo mkdir -p /home/whiterose/.ssh
sudo chown whiterose:whiterose /home/whiterose/.ssh
sudo chmod 700 /home/whiterose/.ssh
Create (or edit) the authorized_keys file:
sudo vim /home/whiterose/.ssh/authorized_keys
Paste the public key copied from the client.
Set the correct permissions
sudo chown whiterose:whiterose /home/whiterose/.ssh/authorized_keys
sudo chmod 600 /home/whiterose/.ssh/authorized_keys
From now on, the user whiterose will be able to connect via SSH using the private key corresponding to the uploaded public key.
Disable root login and password authentication in SSH
On the Ubuntu/Debian server, edit the SSH configuration file:
sudo vim /etc/ssh/sshd_config
Modify or add the following lines:
PermitRootLogin no
PasswordAuthentication no
Restart the SSH service:
sudo systemctl restart ssh
!!! Only do this after confirming that public key access is working for the user whiterose !!!
Enable Firewall (UFW)
Install and activate UFW:
sudo apt update && sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw --force enable
All unauthorized services will be blocked. Only SSH (port 22) will be accessible.
Fix Permissions of Sensitive Files
Adjust permissions of the /etc/shadow file:
sudo chmod 640 /etc/shadow
This ensures that only root and the shadow group have read access to password contents.
Install and Configure Fail2Ban (Protection Against Brute Force Attacks)
Fail2Ban monitors authentication logs and automatically blocks IPs that attempt malicious access to the server. Even with key-based authentication, it is important to protect the server against scanners and brute force attempts.
Installation
sudo apt update && sudo apt install -y fail2ban
Basic Configuration
Fail2Ban comes with default settings, but it’s recommended to create a local configuration file for customization (to avoid conflicts during updates):
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo vim /etc/fail2ban/jail.local
Recommended Adjustments (in jail.local)
In the [DEFAULT] section, modify existing fields or add the following:
[DEFAULT]
ignoreip = (IPs that will never be banned)
bantime = 1h
maxretry = 3
findtime = 10m
Restart Fail2Ban
sudo systemctl restart fail2ban
sudo systemctl enable fail2ban
Check the logs
sudo tail -f /var/log/fail2ban.log
Conclusion
By following these steps, you ensure a basic and effective protection for your Ubuntu/Debian server. Using SSH keys, disabling root login, enabling the firewall, and configuring Fail2Ban helps prevent common attacks and makes your system more secure.
Top comments (0)