How to secure SSH server

Disable root login

1. Create new user useradd -m username.
2. Set password passwd username.
3. Optional: Add user to sudoers usermod -aG sudo username.
4. Edit /etc/ssh/ssh_config or /etc/ssh/sshd_config and add:

# Authentication:
PermitRootLogin no
AllowUsers username

Might need to look for other config files being included that might override this setting (grep -r "PermitRootLogin" /etc/ssh/).

Harden SSH

1. Disable empty password:

PermitEmptyPasswords no

1. Limit the number of authentication tries per connection:

MaxAuthTries 3

1. Changed to ssh version 2:

Include /etc/ssh/sshd_config.d/*.conf
Protocol 2

Disable plain text authentication

1. Connecting with SSH key:

UsePAM no
PasswordAuthentication no

ssh-keygen 

Restart SSH service

1. Restart ssh service sudo systemctl restart ssh or sudo systemctl restart sshd.

Prevent brute force attacks

1. Install fail2ban or sshguard to ban IPs that fail to authenticate after a certain number of attempts.

References

• 13 Ways to secure SSH server
• How To Set up SSH Keys on a Linux / Unix System
• sshd_config
• ssh_config
• ssh-keygen
• useradd
• passwd
• usermod
• fail2ban
• sshguard