Mastering SSH Security: A Practical Guide to Hardening Your Linux Server
Secure Shell (SSH) is the backbone of remote Linux administration. It’s the primary gateway for managing servers, deploying applications, and performing critical maintenance. However, a default SSH configuration can leave your server vulnerable to unauthorized access and brute-force attacks. Hardening your SSH setup is not just a best practice—it’s an essential layer of security.
This guide provides actionable steps to lock down your SSH service, transforming it from a potential liability into a secure fortress.
1. Disable Direct Root Login
Allowing direct login for the root user is one of the most significant security risks. The root username is a universal target for attackers. If they can guess your root password, they gain complete control of your system.
The best practice is to log in as a standard user and then elevate your privileges using sudo when necessary. This creates an audit trail and adds an extra layer of protection.
To disable root login, edit the main SSH configuration file:
sudo nano /etc/ssh/sshd_config
Find the line PermitRootLogin and change its value to no:
PermitRootLogin no
This is a non-negotiable first step for any production server.
2. Use SSH Key Authentication
Passwords can be cracked, phished, or accidentally exposed. SSH keys, on the other hand, use public-key cryptography to provide a much more secure method of authentication. A private key stays securely on your local machine, while the corresponding public key is placed on the server. The server uses the public key to verify a signature generated by your private key, granting access without ever transmitting a secret over the network.
SSH key authentication is the gold standard for secure remote access. Once you have configured SSH keys for all necessary users, you can and should disable password authentication entirely.
In your sshd_config file, set the following:
PasswordAuthentication no
This change completely removes password-based login attempts as a possible attack vector.
3. Change the Default SSH Port
By default, SSH listens on port 22. Every automated scanner and malicious bot on the internet is programmed to hammer this port with login attempts. While changing the port is not a foolproof security measure on its own—a determined attacker can scan all ports—it effectively hides your server from low-effort, automated attacks.
This simple change can dramatically reduce the noise in your security logs. Choose a non-standard port number (e.g., above 1024, like 2222 or 49188).
To change the port, modify the Port directive in sshd_config:
Port 2222
Crucially, remember to update your firewall rules to allow traffic on the new port before you restart the SSH service, or you will lock yourself out.
4. Implement a Firewall
A properly configured firewall is a fundamental security requirement. It acts as a gatekeeper, ensuring that only traffic to specifically allowed ports can reach your server. For Linux, UFW (Uncomplicated Firewall) is a user-friendly tool for managing firewall rules.
First, allow traffic on your new custom SSH port:
sudo ufw allow 2222/tcp
Then, enable the firewall:
sudo ufw enable
Always configure a firewall to restrict access to only the services that need to be publicly available. Deny all other incoming traffic by default.
5. Limit User Access with AllowUsers
Not every user account on your server needs SSH access. The principle of least privilege dictates that you should only grant access to those who absolutely require it. You can explicitly define which users are permitted to log in via SSH.
Add an AllowUsers line to your sshd_config file, followed by a space-separated list of usernames:
AllowUsers userone usertwo
This ensures that only userone and usertwo can attempt an SSH login, blocking all other system and user accounts.
6. Mitigate Brute-Force Attacks with Fail2Ban
Even with strong security measures, your server may still be targeted by brute-force attacks. Fail2Ban is an invaluable tool that monitors log files for malicious activity, such as repeated failed login attempts. When it detects a suspicious pattern from a specific IP address, it automatically updates your firewall rules to block that IP for a configured period.
Installing and configuring Fail2Ban is a proactive way to automatically block malicious IP addresses before they can cause harm. It’s a simple, effective defense against automated password-guessing attacks.
7. Configure an Idle Timeout
An open SSH session on an unattended computer is a security risk. If the machine is compromised, the attacker gains immediate access to your server. You can configure SSH to automatically disconnect idle sessions after a specific period.
Set the following values in your sshd_config file:
ClientAliveInterval 300
ClientAliveCountMax 2
This configuration will check for client activity every 300 seconds (5 minutes). If the client is unresponsive after two checks (a total of 10 minutes), the server will automatically terminate the inactive session.
Finalizing Your Changes
After making any modifications to /etc/ssh/sshd_config, you must save the file and restart the SSH service for the changes to take effect.
On systems using systemd (most modern Linux distributions):
sudo systemctl restart sshd
Important Tip: Before logging out, always test your new configuration by opening a new terminal window and attempting to log in. This ensures you haven’t accidentally locked yourself out of your own server.
By implementing these essential hardening techniques, you significantly enhance the security of your Linux server, protecting your data and resources from the most common threats.
Source: https://www.tecmint.com/ssh-security-linux-tips/
