Fortify Your SSH: Lock Out Root, Shift Ports, Key In Security.
#cloudwhistler#devops#cloudcomputing#linux
Olatunde salami

Olatunde salami @salamilinux

About: Cloud Engineer | DevOps| Linux | Automation

Location:
Ibadan Nigeria
Joined:
Apr 7, 2025

Fortify Your SSH: Lock Out Root, Shift Ports, Key In Security.

Publish Date: May 15
7 0

Table Of Content

Introduction

Yesterday, I talked about how Linux is secure by design but only if you take action. Today, I’m locking down one of the most important services on any Linux system:

SSH Your remote door into the system.

If SSH is exposed and misconfigured, it becomes a high-value target for brute-force attacks and exploits. So let’s secure it step-by-step.

Why SSH Needs Protection

By default, SSH can:

  • Allow root login
  • Use password authentication
  • Run on the default port (22)

This is convenient, but it also makes your system predictable and vulnerable.

1. Disable Root Login

Why?

Allowing root to log in remotely is risky if someone cracks the password, they get full control instantly.

How:

  1. Open the SSH config file: 
sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode
  1. Find or add this line: 
PermitRootLogin no
Enter fullscreen mode Exit fullscreen mode
  1. Save and restart SSH: 
   sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

Now, root cannot log in via SSH.

2. Change the Default SSH Port

Why?
Bots scan port 22 constantly. Moving SSH to a non-standard port reduces noise and avoids low effort attacks.

How:

  1. Edit the SSH config again: 
sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode
  1. Change the port: 
   Port 2222
Enter fullscreen mode Exit fullscreen mode

(Pick any unused port between 1024 and 65535)

  1. Allow the new port in the firewall: 
   sudo ufw allow 2222/tcp
Enter fullscreen mode Exit fullscreen mode
  1. Restart SSH: 
   sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

✅ You’ll now connect like this:

ssh -p 2222 user@your-server
Enter fullscreen mode Exit fullscreen mode

3. Set Up Key-Based Authentication

Why?
SSH keys are far more secure than passwords and resistant to brute-force attacks.

🧩 Step-by-Step:

** On Your Local Machine (Client):**

  1. Generate a key pair: 
   ssh-keygen -t rsa -b 4096
Enter fullscreen mode Exit fullscreen mode
  1. Copy the public key to the server: 
   ssh-copy-id user@your-server -p 2222
Enter fullscreen mode Exit fullscreen mode

This adds your public key to the server’s ~/.ssh/authorized_keys file.

On Your Server:

  1. Edit the SSH config again: 
   sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode
  1. Ensure these settings are enabled: 
   PubkeyAuthentication yes
   PasswordAuthentication no
Enter fullscreen mode Exit fullscreen mode
  1. Restart SSH: 
   sudo systemctl restart ssh
Enter fullscreen mode Exit fullscreen mode

✅ Now, only systems with your private key can log in.

Bonus: Test Before Locking Yourself Out

Always open a second terminal and test your changes before closing your current SSH session. That way, if anything breaks, you're still connected and can fix it.

Summary What I Learned Today

  • Remote root login is dangerous, I disabled it.
  • Port 22 is predictable, I moved SSH to a safer port.
  • Passwords can be brute forced, I switched to SSH keys.
  • I always test SSH changes before restarting or disconnecting.

Result: My Linux SSH access is now much harder to exploit.

I would love to hear your thoughts, experiences, or tips about Linux!
Feel free to share in the comments and join the conversation.
Connect with me on LinkedIn !

#30DaysLinuxChallenge #CloudWhistler #RedHat #Cloudsecurity #DevOps #Linux #OpenSource #CloudComputing #RedHatEnterpriseLinux #SystemLogs #EnterpriseIT #Observability #Logging #SysAdmin #Automation #CloudEngineer #TechForBusiness #ITSupport #SRE #CloudOps

Comments 0 total

    Add comment