The Complete Guide to SSH and Hardening Linux Servers in 2026

SSH is the foundation of server administration, and server hardening is non-negotiable for any production infrastructure. In 2025-2026 with AI-powered brute force attacks increasing 10x, the basics of SSH security are more important than ever.

Here's the practical guide.

SSH Key Management

# Generate a strong key
ssh-keygen -t ed25519 -C "your_email@example.com"

# Or RSA if needed
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Or manually
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

SSH Config for Easy Access

# ~/.ssh/config
Host prod-server
    HostName 203.0.113.45
    User admin
    Port 22
    IdentityFile ~/.ssh/id_ed25519
    AddKeysToAgent yes
    ForwardAgent yes

Host staging
    HostName 203.0.113.78
    User ubuntu
    IdentityFile ~/.ssh/id_ed25519

# Then just: ssh prod-server

SSH Hardening

# /etc/ssh/sshd_config

# Disable password authentication (use keys only!)
PasswordAuthentication no
PermitRootLogin no

# Only allow specific users
AllowUsers alice bob

# Change default port (security through obscurity)
Port 2222

# Disable empty passwords
PermitEmptyPasswords no

# Disable unused authentication methods
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

# Connection settings
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 60

# Logging
LogLevel VERBOSE

# Restart SSH after config changes
sudo systemctl restart sshd

Fail2ban (Brute Force Protection)

sudo apt install fail2ban

# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log

# Restart
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

UFW Firewall

# Basic firewall setup
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp   # SSH (custom port)
sudo ufw allow 80/tcp      # HTTP
sudo ufw allow 443/tcp     # HTTPS
sudo ufw enable
sudo ufw status

Automated Security Updates

# Install unattended-upgrades
sudo apt install unattended-upgrades

# Configure
sudo dpkg-reconfigure -plow unattended-upgrades

# Or manually edit
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

SSH Certificates (For Large Fleets)

# On CA server, create CA key
ssh-keygen -t ed25519 -C ca@company.com -f ca_key

# Sign a host key
ssh-keygen -s ca_key -I host@server -h -n server.example.com /etc/ssh/ssh_host_ed25519_key.pub

# Distribute CA public key to all machines
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys

---

This article contains affiliate links. If you sign up through the links above, I may earn a commission at no additional cost to you.

Ready to Build Your Online Business?

Get started with Systeme.io for free — All-in-one platform for building your online business with AI tools.