To secure an SSH server, implement strong authentication, limit access, change default settings, configure firewall rules, and keep the system updated. First, enable SSH key pairs with passphrases and disable password authentication entirely after uploading public keys to authorized_keys. Second, restrict root login by setting PermitRootLogin no and allow only specific users or groups using AllowUsers or AllowGroups. Third, change the default SSH port from 22 to a custom port like 2222 in sshd_config and adjust firewall rules accordingly. Fourth, use a firewall such as UFW to allow SSH connections only from trusted IPs and apply rate-limiting with tools like fail2ban to block repeated login attempts. Lastly, regularly update the OS and SSH packages via sudo apt update && sudo apt upgrade and enable automatic updates to protect against known vulnerabilities.
Securing an SSH server is essential for protecting your system from unauthorized access. While SSH itself is a secure protocol, misconfigurations or weak practices can expose your server to attacks. Here are some practical steps you can take to harden your SSH setup.
Use Strong Authentication Methods
One of the first things you should do is move away from weak password-based authentication.
-
Enable SSH key pairs – Passwords can be guessed or brute-forced. Using public/private key pairs adds a much higher level of security.
- Generate a strong key pair using
ssh-keygen - Set a passphrase for the private key
- Upload the public key to the server's
~/.ssh/authorized_keysfile
- Generate a strong key pair using
-
Disable password login entirely
In your SSH config (/etc/ssh/sshd_config), set:PasswordAuthentication no
Make sure you’ve added your public key before disabling passwords — otherwise, you might lock yourself out.
Limit User Access and Login Options
SSH access should only be granted to those who need it.
Restrict root login
The root account has full control, so allowing direct login via SSH is risky. Instead, disable it:PermitRootLogin no
Allow only specific users
Use theAllowUsersdirective insshd_configto limit SSH access to known accounts:AllowUsers user1 user2
Use groups to manage access
You can also allow logins by group:AllowGroups sshusers
This makes managing permissions easier when multiple people need access.
Change the Default SSH Port
Running SSH on port 22 is standard — which means it’s also the first target for attackers. Changing the port won’t stop determined hackers, but it will reduce noise from automated scans.
In sshd_config, change:
Port 2222
Then make sure your firewall allows traffic on that port. This small tweak can significantly cut down on botnet login attempts.
Set Up Firewall Rules and Rate Limiting
Even with good SSH settings, your server can still be exposed to repeated login attempts.
Use a firewall (like UFW or iptables)
Only allow SSH connections from trusted IP ranges if possible:ufw allow from 192.168.1.0/24 to any port 2222
Rate-limit connection attempts
Tools likefail2banmonitor logs and block IPs after repeated failed login attempts. It’s easy to install and configure, and it helps protect against brute-force attacks.
A simple fail2ban rule can block suspicious activity for a few minutes — often enough to deter most scripts.
Keep Your System and SSH Updated
Outdated software is one of the easiest ways for attackers to gain access.
Regularly update your OS and SSH packages:
sudo apt update && sudo apt upgrade
Subscribe to security mailing lists or use tools like
unattended-upgradesto apply critical patches automatically.
Older versions of OpenSSH have had serious vulnerabilities — staying updated ensures you’re protected.
That’s basically it. These steps aren't overly complicated, but they go a long way toward securing your SSH server. Some are small tweaks, like changing the port, while others, like using keys and limiting access, are foundational. A little effort upfront can prevent a lot of trouble later.
The above is the detailed content of What are some best practices for securing an SSH server?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to create a new, empty file from the command line?
Jun 14, 2025 am 12:18 AM
There are three ways to create empty files in the command line: First, the simplest and safest use of the touch command, which is suitable for debugging scripts or placeholder files; Second, it is quickly created through > redirection but will clear existing content, which is suitable for initializing log files; Third, use echo"> file name to create a file with an empty string, or use echo-n""> file name to avoid line breaks. These three methods have their own applicable scenarios, and choosing the right method can help you complete the task more efficiently.
5 Best Open Source Mathematical Equation Editors for Linux
Jun 18, 2025 am 09:28 AM
Are you looking for good software to write mathematical equations? If so, this article provides the top 5 equation editors that you can easily install on your favorite Linux distribution.In addition to being compatible with different types of mathema
SCP Linux Command – Securely Transfer Files in Linux
Jun 20, 2025 am 09:16 AM
Linux administrators should be familiar with the command-line environment. Since GUI (Graphical User Interface) mode in Linux servers is not commonly installed.SSH may be the most popular protocol to enable Linux administrators to manage the servers
How to Install Eclipse IDE in Debian, Ubuntu, and Linux Mint
Jun 14, 2025 am 10:40 AM
Eclipse is a free integrated development environment (IDE) that programmers around the world use to write software, primarily in Java, but also in other major programming languages using Eclipse plugins.The latest release of Eclipse IDE 2023?06 does
24 Hilarious Linux Commands That Will Make You Laugh
Jun 14, 2025 am 10:13 AM
Linux has a rich collection of commands, and while many of them are powerful and useful for various tasks, there are also some funny and whimsical commands that you can try out for amusement. 1. sl Command (Steam Locomotive) You might be aware of the
Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux
Jul 05, 2025 am 09:25 AM
LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support
What is a PPA and how do I add one to Ubuntu?
Jun 18, 2025 am 12:21 AM
PPA is an important tool for Ubuntu users to expand their software sources. 1. When searching for PPA, you should visit Launchpad.net, confirm the official PPA in the project official website or document, and read the description and user comments to ensure its security and maintenance status; 2. Add PPA to use the terminal command sudoadd-apt-repositoryppa:/, and then run sudoaptupdate to update the package list; 3. Manage PPAs to view the added list through the grep command, use the --remove parameter to remove or manually delete the .list file to avoid problems caused by incompatibility or stopping updates; 4. Use PPA to weigh the necessity and prioritize the situations that the official does not provide or require a new version of the software.
Gogo - Create Shortcuts to Directory Paths in Linux
Jun 19, 2025 am 10:41 AM
Gogo is a remarkable tool to bookmark directories inside your Linux shell. It helps you create shortcuts for long and complex paths in Linux. This way, you no longer need to type or memorize lengthy paths on Linux.For example, if there's a directory
