The Ultimate Guide to SSH Hardening: Secure Your Remote Access

🔒 SSH (Secure Shell) is the backbone of remote server administration, but its default configuration is often insecure. Without proper hardening, your server could be vulnerable to brute-force attacks, unauthorized access, and exploits.

In this guide, I’ll walk you through professional-grade SSH security practices, explaining each step in detail to ensure your remote access remains both secure and functional.

🔧 Step 1: Installation & Basic Configuration

Why Start Here?

Before tweaking security settings, ensure OpenSSH is installed and running. Some Linux distributions don’t include the SSH server by default.

1. Check if SSH is Installed

ssh -V  # Shows OpenSSH version

✅ Expected Output:

OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022

If not installed, proceed to installation.

2. Install OpenSSH Server

# Debian/Ubuntu
sudo apt update && sudo apt install openssh-server -y

# RHEL/CentOS
sudo dnf install openssh-server -y

✅ What This Does:

Installs the OpenSSH server package.
Enables SSH access on port 22 (default).

3. Verify SSH Service Status

sudo systemctl status ssh  # Ubuntu
sudo systemctl status sshd # RHEL/CentOS

✅ Expected Output:

Active: active (running) means SSH is working.
If not running, start it with:

sudo systemctl start sshd && sudo systemctl enable sshd

🔐 Step 2: Hardening SSH Configuration (`sshd_config`)

Why Harden `sshd_config`?

The default SSH configuration allows password logins, root access, and weak encryption, making it an easy target for attackers.

1. Backup the Original Config (Safety First!)

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

✅ Why?

If something breaks, you can restore the original config.

2. Edit `/etc/ssh/sshd_config`

sudo nano /etc/ssh/sshd_config

Apply these critical security settings:

Setting	Value	Why?
`Port 2222`	Change from `22`	Avoids automated bots scanning port 22
`PermitRootLogin no`	Disable root login	Prevents attackers from targeting root
`PasswordAuthentication no`	Disable password login	Forces key-based auth (more secure)
`PubkeyAuthentication yes`	Enable SSH keys	Allows only authorized users
`X11Forwarding no`	Disable GUI forwarding	Reduces attack surface
`MaxAuthTries 3`	Limit login attempts	Stops brute-force attacks
`AllowUsers your_username`	Restrict access	Only allows specified users

3. Restart SSH to Apply Changes

sudo systemctl restart sshd

✅ Verify the new port is active:

ss -tulnp | grep sshd

Expected output:

tcp   LISTEN 0 128  0.0.0.0:2222  0.0.0.0:*  users:(("sshd",pid=1234,fd=3))

🔑 Step 3: Key-Based Authentication (More Secure Than Passwords)

Why Use SSH Keys?

Passwords can be cracked with brute-force attacks.
SSH keys use cryptographic authentication, making unauthorized access nearly impossible.

1. Generate SSH Keys (On Your Local Machine)

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/server_access -C "your_email@example.com"

✅ Explanation:

-t ed25519: Uses modern, secure encryption.
-a 100: Adds 100 rounds of key derivation (extra security).
-f ~/.ssh/server_access: Saves the key in a custom file.

2. Copy Public Key to Server

ssh-copy-id -i ~/.ssh/server_access.pub -p 2222 user@server_ip

✅ Alternative (Manual Method):

cat ~/.ssh/server_access.pub | ssh -p 2222 user@server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

3. Test Key-Based Login

ssh -i ~/.ssh/server_access -p 2222 user@server_ip

✅ Expected Result:

If configured correctly, you’ll log in without a password.

🛡️ Step 4: Firewall Rules (Restrict SSH Access)

Why Use a Firewall?

Blocks unauthorized IPs.
Limits brute-force attacks.

UFW (Ubuntu/Debian)

sudo ufw allow 2222/tcp comment 'SSH access'
sudo ufw limit 2222/tcp  # Rate-limiting (blocks repeated attempts)
sudo ufw enable

Firewalld (RHEL/CentOS)

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

✅ Verify Firewall Rules:

sudo ufw status  # Ubuntu
sudo firewall-cmd --list-ports  # RHEL/CentOS

🚨 Advanced Security: Fail2Ban & 2FA

1. Fail2Ban (Automatically Blocks Attackers)

sudo apt install fail2ban  # Ubuntu
sudo dnf install fail2ban  # RHEL

Configuration (/etc/fail2ban/jail.local):

[sshd]
enabled = true
port = 2222
maxretry = 3  # Blocks after 3 failed attempts
bantime = 1h  # Bans for 1 hour

2. Two-Factor Authentication (2FA) for SSH

sudo apt install libpam-google-authenticator
google-authenticator  # Follow setup instructions

Edit /etc/ssh/sshd_config:

AuthenticationMethods publickey,keyboard-interactive

✅ Now, logging in requires:

SSH Key
Google Authenticator Code

🔍 Monitoring & Maintenance

1. Check Failed Login Attempts

sudo grep "Failed password" /var/log/auth.log  # Ubuntu
sudo grep "Failed password" /var/log/secure   # RHEL

2. Test SSH Config Before Applying

sudo sshd -t  # Checks for syntax errors

✅ Best Practice:

Regularly update OpenSSH (sudo apt upgrade openssh-server).
Review logs for suspicious activity.

✅ Final Security Checklist

[ ] Changed default SSH port
[ ] Disabled root login
[ ] Disabled password authentication
[ ] Enabled SSH key-based auth
[ ] Configured firewall rules
[ ] Set up Fail2Ban
[ ] Restricted user access
[ ] Enabled session timeouts
[ ] Tested backup access method
[ ] Documented all changes

🚀 Conclusion

By following these steps, you’ve dramatically improved SSH security by:

✔ Eliminating password-based attacks

✔ Blocking brute-force attempts

✔ Restricting unauthorized access

Want even more security? Consider:

Port knocking (hidden SSH port)
VPN-based SSH access (extra layer)
Automated log monitoring (SIEM tools)

🔗 Further Reading:

🚨 Stay secure, and happy administering! 🚀

Khuram Murad @khurammurad