Hardening SSH access on Linux servers: Best practices

Hardening SSH Access: Best Practices for Linux Server Security

Securing the Secure Shell (SSH) service is the most critical step in protecting a Linux server from unauthorized access. Since SSH is the primary gateway for remote administration, it is frequently targeted by automated brute-force attacks and credential stuffing bots. Below are the essential configurations to harden your SSH environment.

1. Disable Password Authentication

Passwords are susceptible to dictionary attacks and leaks. Transitioning to public-key authentication is the single most effective way to improve security. By requiring a private key pair, you ensure that even if an attacker discovers your username, they cannot gain access without the physical key file.

# Edit /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

2. Disable Root Login

The root user is a universal target. By disabling root login, you force attackers to guess a valid username first, adding a layer of obfuscation. Administrative tasks should be performed using a standard user account with sudo privileges.

# Edit /etc/ssh/sshd_config
PermitRootLogin no

3. Change the Default Port

While security through obscurity is not a replacement for strong authentication, moving SSH from the default port 22 to a custom, non-standard high port significantly reduces the noise from automated botnets scanning for vulnerabilities.

# Edit /etc/ssh/sshd_config
Port 2222

4. Limit User Access

If only specific users require remote access, explicitly define them in the configuration file. This prevents other system service accounts from being used to log in via SSH.

# Edit /etc/ssh/sshd_config
AllowUsers your_username admin_user

5. Implement Fail2Ban

Fail2Ban is a daemon that monitors system logs for repeated failed authentication attempts. When a threshold is met, it automatically updates firewall rules (iptables or nftables) to ban the attacker’s IP address for a specified duration.

# Install Fail2Ban
sudo apt install fail2ban -y
# Configuration snippet for jail.local
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Key Takeaways for System Administrators

• Always test your configuration changes with the sshd -t command before restarting the service to ensure there are no syntax errors.
• Keep your SSH daemon updated to the latest stable version to patch known CVEs.
• Consider using SSH certificates or hardware security keys (like Yubikeys) for multi-factor authentication if you are managing high-security environments.
• Always keep at least one active, authenticated SSH session open while applying changes so you do not lock yourself out of the server.