Introduction to SSH Hardening
I’ve seen many Linux systems compromised due to weak SSH security, so I want to share my approach to hardening SSH access. As of 2026, SSH remains a vital tool for system administration, development, and self-hosting, but its widespread use also makes it a common target for brute-force attacks and unauthorized access attempts. To mitigate these risks, I recommend using Fail2Ban and Public Key Authentication to secure SSH on Debian-based systems.
Understanding Fail2Ban
Fail2Ban is a powerful tool that scans log files for IP addresses that show signs of malicious activity, such as multiple failed login attempts, and temporarily or permanently bans them. This prevents brute-force attacks and significantly reduces the risk of unauthorized access. Don’t bother with manual log monitoring - Fail2Ban makes it easy to automate this process. To install Fail2Ban on a Debian-based system, use the following command:
sudo apt update && sudo apt install fail2ban
After installation, configure Fail2Ban by editing the /etc/fail2ban/jail.local file. This file allows you to customize settings such as the ban duration, the number of failed attempts required to trigger a ban, and the IP addresses to ignore. I usually start with the default settings and adjust them as needed.
Configuring Fail2Ban for SSH
To configure Fail2Ban specifically for SSH, you’ll need to create or edit the SSH-related settings in the /etc/fail2ban/jail.local file. Here’s an example configuration:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
This configuration enables Fail2Ban for SSH, sets the port to the default SSH port, specifies the filter to use, and defines the log path and the maximum number of retries allowed before triggering a ban. The real trick is finding the right balance between security and usability - you don’t want to lock out legitimate users.
Public Key Authentication
Public Key Authentication is a secure method of authenticating SSH connections using a pair of cryptographic keys: a private key and a public key. The private key is kept secret on the client side, while the public key is shared with the server. When a client attempts to connect, the server checks the client’s public key against its own copy. If they match, access is granted. In practice, this method is much more secure than password authentication.
To set up Public Key Authentication on a Debian-based system, first generate a key pair on the client machine using the following command:
ssh-keygen -t ed25519
This command generates a 256-bit ED25519 key pair, which is considered secure as of 2026. You can also use RSA keys, but ED25519 is generally preferred due to its better performance and security. After generating the key pair, copy the public key to the server using the ssh-copy-id command:
ssh-copy-id user@server
Replace user with your username on the server and server with the server’s hostname or IP address.
Disabling Password Authentication
To further harden SSH access, consider disabling password authentication altogether. This forces all users to authenticate using Public Key Authentication, significantly reducing the risk of brute-force attacks. This is where people usually get burned - leaving password authentication enabled can lead to serious security issues.
To disable password authentication, edit the /etc/ssh/sshd_config file and set the PasswordAuthentication option to no:
PasswordAuthentication no
After making this change, restart the SSH service to apply the new configuration:
sudo systemctl restart ssh
Troubleshooting and Monitoring
Regularly monitoring your system’s logs and Fail2Ban activity is crucial for maintaining security. You can check the Fail2Ban logs using the following command:
sudo journalctl -u fail2ban
This command displays the Fail2Ban service logs, showing you which IP addresses have been banned and why. For more detailed information on SSH security and best practices, visit the Debian documentation or the OpenSSH project page.
Additional Security Considerations
While Fail2Ban and Public Key Authentication significantly improve SSH security, it’s essential to maintain good system hygiene. Regularly update your system and packages, use a firewall to restrict incoming connections, and limit user privileges to minimize potential damage in case of a security breach. Don’t forget to keep your system up to date - security patches are essential for preventing exploits.