Introduction to SSH Hardening
Securing your SSH server is one of the most critical tasks as a Linux administrator. I’ve seen this go wrong when systems are left vulnerable to unauthorized access. The recent high-profile vulnerabilities discovered in popular SSH implementations in 2025 serve as a reminder to keep your SSH server up to date and configured securely. In this article, we’ll discuss practical steps to harden your SSH server without making it overly restrictive.
Understanding SSH Configuration
The SSH configuration file is typically located at /etc/ssh/sshd_config. This file contains various options that control the behavior of the SSH server. To edit this file, you can use your preferred text editor, such as nano or vim. For example:
sudo nano /etc/ssh/sshd_config
Don’t bother with making changes without backing up the original configuration file first - it’s essential to have a fallback in case something goes wrong.
Disabling Root Login
One of the simplest and most effective ways to harden your SSH server is to disable root login. This can be done by setting the PermitRootLogin option to no in the sshd_config file. For example:
PermitRootLogin no
This will prevent attackers from attempting to brute-force the root password. In practice, this is a crucial step in preventing unauthorized access to your system.
Changing the Default Port
Changing the default SSH port from 22 to a non-standard port can help reduce the number of automated attacks on your server. However, this should not be relied upon as the sole means of security. To change the default port, add the following line to the sshd_config file:
Port 2222
Then, restart the SSH service to apply the changes:
sudo systemctl restart sshd
Note that you will need to update your SSH client configuration to connect to the new port. This is where people usually get burned - forgetting to update the client configuration can leave you locked out of your server.
Enabling Key-Based Authentication
Key-based authentication is a more secure alternative to password-based authentication. To enable key-based authentication, generate a pair of SSH keys on your client machine using the following command:
ssh-keygen -t ed25519
Then, copy the public key to your server using the following command:
ssh-copy-id -p 2222 user@server
Replace user and server with your actual username and server IP address. The real trick is to use a secure key type like Ed25519, which provides better security than older key types.
Limiting User Access
To further restrict access to your server, you can limit the users who are allowed to log in via SSH. This can be done by setting the AllowUsers option in the sshd_config file. For example:
AllowUsers user1 user2
This will only allow the users user1 and user2 to log in via SSH. I usually start with a restrictive approach and add users as needed, rather than allowing all users to log in by default.
Monitoring SSH Activity
To detect and respond to potential security threats, it’s essential to monitor SSH activity on your server. You can use tools like sshguard or fail2ban to monitor SSH logs and block suspicious IP addresses. For more information on fail2ban, visit the official GitHub repository.
Keeping Your Server Up to Date
Finally, it’s crucial to keep your server and SSH implementation up to date with the latest security patches. You can use your distribution’s package manager to update your system. For example, on Debian-based systems, you can use the following command:
sudo apt update && sudo apt full-upgrade
On Red Hat-based systems, you can use the following command:
sudo dnf update
For more information on securing your Linux system, visit the official Debian documentation.