π Introduction#
Secure Shell (SSH) is the backbone of Linux server administration.
Because it provides direct remote access, SSH is also a prime attack target for bots, scanners, and brute-force attempts.
In this guide, youβll learn:
- how to secure SSH access using public key authentication
- how to harden the SSH daemon configuration
- how to use Fail2ban to block bruteβforce attacks
- additional best practices to reduce exposure and risk
π 1. Use SSH Keys Instead of Passwords#
Password authentication is easy β but extremely insecure.
SSH keys are far stronger and immune to brute-force attacks.
Generate a new keypair (on your client)#
ssh-keygen -t ed25519 -C "your_email@example.com"
Your keys are stored in:
~/.ssh/id_ed25519 # private key
~/.ssh/id_ed25519.pub # public key
Copy your key to the server#
ssh-copy-id user@server
Alternatively:
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
π§ 2. Harden SSHD Configuration#
Edit the SSH daemon config:
sudo nano /etc/ssh/sshd_config
Recommended settings:
Protocol 2
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding no
AllowAgentForwarding no
LoginGraceTime 30
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
Reload SSH:
sudo systemctl reload sshd
π 3. Restrict Access with AllowUsers or AllowGroups#
Limit SSH to specific users:
AllowUsers emre backupadmin
Or limit SSH to a group:
AllowGroups sshusers
π‘οΈ 4. Change SSH Port (Optional)#
This does not replace real security β but it removes bot noise.
Edit:
Port 2222
Then:
sudo systemctl restart sshd
Update firewall:
sudo ufw allow 2222/tcp
π« 5. Enable Fail2ban to Block Brute-force Attacks#
Install Fail2ban:
sudo apt install fail2ban -y # Debian/Ubuntu
sudo yum install fail2ban -y # RHEL/Rocky
Enable and start:
sudo systemctl enable --now fail2ban
Configure SSH jail#
Edit:
sudo nano /etc/fail2ban/jail.local
Add:
[sshd]
enabled = true
port = ssh
maxretry = 3
bantime = 1h
findtime = 10m
Reload:
sudo systemctl restart fail2ban
Check status:
sudo fail2ban-client status sshd
𧱠6. Additional Best Practices#
β Use a firewall#
Only allow necessary ports:
sudo ufw allow 2222/tcp
sudo ufw enable
β Disable SSH entirely if unused#
For containers or specialized hosts:
sudo systemctl disable --now sshd
β Use 2FA for SSH#
Using Google Authenticator or Duo.
β Monitor login attempts#
With system logs:
sudo journalctl -u sshd -f
π Conclusion#
SSH is extremely powerful β and equally dangerous if left unsecured.
By following this guide you significantly reduce your attack surface and protect your Linux infrastructure from automated and targeted attacks.
π Need Help Securing Your Servers?#
If your business relies on Linux servers, secure SSH access is nonβnegotiable.
At TechZ (techz.at), we help companies harden their Linux infrastructure, secure remote access, and implement bestβpractice server configurations.
π Need professional help? Reach out anytime.