Why SSH Security Is Non-Negotiable
SSH (Secure Shell) is the primary way administrators access Linux servers remotely. It's also one of the most targeted attack vectors on the internet. Automated bots continuously scan the internet for open port 22 and attempt credential-based attacks within minutes of a new server going live. Hardening SSH isn't optional — it's one of the first things you should do on any new server.
1. Disable Root Login
The root account has unlimited privileges and exists on every Linux system, making it an obvious target. Disabling direct root SSH login forces attackers to know both a valid username and crack the password.
In /etc/ssh/sshd_config:
PermitRootLogin noAlways ensure you have a sudo-capable user account before applying this change.
2. Use SSH Key Authentication — And Disable Passwords
SSH keys use asymmetric cryptography, making them vastly more secure than passwords. A 4096-bit RSA key or an Ed25519 key is effectively brute-force-proof with current computing.
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickeyAfter disabling password auth, test key login in a separate session before closing your existing connection.
3. Change the Default Port
Changing SSH from the default port 22 won't stop a determined attacker, but it eliminates the bulk of automated scanning noise, which significantly cleans up your logs and reduces exposure.
Port 2222Remember to update your firewall rules and inform your team before making this change.
4. Use a Modern Key Algorithm
When generating SSH keys, prefer Ed25519 over older RSA or DSA algorithms. Ed25519 keys are shorter, faster, and considered cryptographically stronger.
ssh-keygen -t ed25519 -C "your-email@example.com"If you must use RSA for compatibility reasons, use at least 4096 bits.
5. Restrict Login to Specific Users
Use the AllowUsers directive to create an explicit whitelist of accounts permitted to log in via SSH:
AllowUsers deployer adminYou can also use AllowGroups sshusers for more flexible group-based management.
6. Set an Idle Timeout
Unattended SSH sessions are a security risk. Configure automatic disconnection for idle connections:
ClientAliveInterval 300
ClientAliveCountMax 2This disconnects a session after approximately 10 minutes of inactivity (300 seconds × 2 checks).
7. Enable and Configure Fail2Ban
Fail2Ban reads SSH logs and automatically bans IPs after repeated failed login attempts. Install and configure it to protect against brute-force attacks:
sudo apt install fail2ban
# In /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 2222
maxretry = 5
bantime = 36008. Restrict SSH Access by IP at the Firewall Level
If your administrative IPs are predictable (a home IP, a VPN range, an office subnet), the most effective control is only allowing SSH connections from those IPs at the firewall:
sudo ufw allow from 203.0.113.0/24 to any port 2222This means that even if every other protection fails, an attacker from an unknown IP can't reach the SSH port at all.
Apply Changes and Verify
After editing sshd_config, always validate the syntax before reloading:
sudo sshd -t # test configuration
sudo systemctl reload sshdKeep your current session open and test the new configuration in a second terminal window to avoid locking yourself out.
Summary
SSH hardening is a layered defense. No single measure is perfect, but combining key-only auth, a non-default port, firewall IP restrictions, and active intrusion prevention creates an extremely robust barrier against unauthorized access.