Introduction
Did you know that 61% of all cyber attacks in 2026 are caused by weak passwords and brute force attacks on servers? By following this tutorial, you will build a secure SSH server that protects your Linux system from such attacks. This matters in 2026 because, with the rise of remote work and cloud computing, the risk of cyber attacks has increased exponentially. To get started, you will need:
- A Linux distribution (such as Ubuntu or Arch Linux)
- A basic understanding of Linux commands and SSH
- A computer or virtual machine with internet access
Table of Contents
- Introduction
- Step 1 — Configure SSH Server
- Step 2 — Set Up Public Key Authentication
- Step 3 — Limit SSH Access
- Step 4 — Install Fail2Ban
- Step 5 — Configure Fail2Ban
- Real-World Usage
- Real-World Application
- Conclusion
- Your Turn
Step 1 — Configure SSH Server
Configuring the SSH server is the first step in securing your Linux system. This step matters because it sets the foundation for all subsequent security measures. To configure the SSH server, run the following command:
sudo nano /etc/ssh/sshd_config
This will open the SSH configuration file in the nano editor. Update the file to include the following lines:
Port 2222
PermitRootLogin no
X11Forwarding no
Save and close the file, then restart the SSH service:
sudo systemctl restart ssh
Expected output:
ssh restart done
Step 2 — Set Up Public Key Authentication
Public key authentication is a secure way to access your SSH server without using passwords. This step matters because it eliminates the risk of brute force attacks on your password. To set up public key authentication, generate a public-private key pair on your local machine using the following command:
ssh-keygen -t rsa -b 4096
This will create a public-private key pair in the ~/.ssh directory. Copy the public key to your SSH server using the following command:
ssh-copy-id -p 2222 user@server-ip
Replace user with your username and server-ip with your server's IP address.
Step 3 — Limit SSH Access
Limiting SSH access is crucial to prevent unauthorized access to your server. This step matters because it reduces the attack surface of your server. To limit SSH access, create a new user group and add your user to it:
sudo groupadd sshusers
sudo usermod -aG sshusers user
Replace user with your username. Then, update the SSH configuration file to only allow access to members of the sshusers group:
sudo nano /etc/ssh/sshd_config
Add the following line to the file:
AllowGroups sshusers
Save and close the file, then restart the SSH service:
sudo systemctl restart ssh
Step 4 — Install Fail2Ban
Fail2Ban is a software that monitors your server's logs for signs of brute force attacks and bans the offending IP addresses. This step matters because it provides an additional layer of security against attacks. To install Fail2Ban, run the following command:
sudo pacman -S fail2ban
On Arch Linux, or
sudo apt-get install fail2ban
on Ubuntu-based systems.
Step 5 — Configure Fail2Ban
Configuring Fail2Ban is essential to ensure it works correctly. This step matters because it sets up the rules for banning IP addresses. To configure Fail2Ban, create a new configuration file:
sudo nano /etc/fail2ban/jail.local
Add the following lines to the file:
[ssh]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Save and close the file, then restart the Fail2Ban service:
sudo systemctl restart fail2ban
Expected output:
fail2ban restart done
Real-World Usage
Now that you have set up a secure SSH server, you can use it to access your server from anywhere. For example, you can use the following command to connect to your server:
ssh -p 2222 user@server-ip
Replace user with your username and server-ip with your server's IP address.
Real-World Application
This secure SSH server setup can be used in various real-world scenarios, such as:
- Hosting a web application on a cloud server, where security is crucial to prevent data breaches. Consider using a VPN service like NordVPN (68% off + 3 months free) to add an extra layer of security.
- Creating a remote development environment, where multiple developers need to access the server securely. You can host your server on a cloud platform like Vultr Cloud (Get $100 free credit to host your apps) and use the secure SSH setup to access it.
Conclusion
In this tutorial, you have built a secure SSH server that protects your Linux system from brute force attacks. The three key takeaways from this tutorial are:
- Configuring the SSH server to use a non-standard port and disabling root login.
- Setting up public key authentication to eliminate the risk of password-based attacks.
- Installing and configuring Fail2Ban to monitor and ban IP addresses that attempt to brute force your server. Next, you can build on this setup by implementing additional security measures, such as two-factor authentication and regular security audits.
💬 Your Turn
Have you automated server security before? What was your approach? Drop it in the comments — I read every one.
💡 Found this helpful?
If this tutorial saved you time or solved a problem, consider:
Every coffee keeps me writing free tutorials like this one!
This article was written with AI assistance and reviewed for technical accuracy.
Part of the **Linux & Security Deep Dives* series — Follow for more free tutorials*
#aBotWroteThis
Top comments (0)