SSH Security
This guide shows how to harden SSH on a Linux server.
Apply the changes step by step and do not close your current SSH session until you verify the new configuration.
Before you start
Section titled “Before you start”Make sure you have:
- access to the server as
rootor through a user withsudo; OpenSSHin use;- a way to restore access from the provider console if you lock yourself out.
If the server uses ssh.socket instead of the regular ssh.service, disable socket mode first:
sudo systemctl stop ssh.socketsudo systemctl disable ssh.socket
sudo systemctl enable sshsudo systemctl restart sshYou can check the current mode with:
sudo systemctl status sshStep 1. Restrict SSH access
Section titled “Step 1. Restrict SSH access”The main settings are stored in /etc/ssh/sshd_config.
Disable root login
Section titled “Disable root login”First create a separate administrative user:
useradd -m -U -s /bin/bash -G sudo holupasswd holuThen disable root login:
PermitRootLogin noLimit idle time
Section titled “Limit idle time”To disconnect an SSH session after inactivity, add:
ClientAliveInterval 300ClientAliveCountMax 1Allow only specific users
Section titled “Allow only specific users”If only certain accounts should be allowed to connect, list them explicitly:
AllowUsers holu holu2Change the default port
Section titled “Change the default port”Change the port from 22 to any other port you want to use for SSH:
Port SELECTED_PORTIf you change the port, remember to update your firewall rules.
Disable unused features
Section titled “Disable unused features”Disable features that are not needed for regular SSH access:
AllowTcpForwarding noX11Forwarding noAllowAgentForwarding noAuthorizedKeysFile .ssh/authorized_keysStep 2. Limit login failures
Section titled “Step 2. Limit login failures”To reduce brute-force risk, limit the number of login attempts:
MaxAuthTries 2Step 3. Enable key-based login
Section titled “Step 3. Enable key-based login”Make sure public-key authentication is enabled:
PubkeyAuthentication yesCreate a key on the client
Section titled “Create a key on the client”On the client machine, generate a key:
ssh-keygen -t rsa -b 4096Add the public key to the server
Section titled “Add the public key to the server”On a Linux client, copy the key with:
ssh-copy-id -i ~/.ssh/id_rsa.pub -p SELECTED_PORT holu@your_hostOn Windows, you can manually add the public key contents to:
/home/holu/.ssh/authorized_keysTest the key-based connection:
ssh -i ~/.ssh/id_rsa -p SELECTED_PORT holu@your_hostStep 4. Enable two-factor authentication
Section titled “Step 4. Enable two-factor authentication”If you want an additional layer of protection, use Google Authenticator or Aegis.
Install the package
Section titled “Install the package”On Ubuntu / Debian:
apt install libpam-google-authenticatorOn CentOS / RedHat:
yum install epel-releaseyum install google-authenticatorOn Arch Linux:
pacman -S libpam-google-authenticatorOn openSUSE / SLES:
zypper install google-authenticator-libpamConfigure Google Authenticator
Section titled “Configure Google Authenticator”Start the setup:
google-authenticatorThen:
- Answer
yif you want time-based tokens. - Scan the QR code in the app.
- Save the backup codes.
- Confirm the remaining prompts.
Connect PAM to SSH
Section titled “Connect PAM to SSH”In /etc/pam.d/sshd, comment out:
@include common-authThen add:
auth required pam_google_authenticator.soIn /etc/ssh/sshd_config, enable:
ChallengeResponseAuthentication yesUsePAM yesAuthenticationMethods publickey,keyboard-interactiveIf you are using Ubuntu 22.04 or newer, use this instead of ChallengeResponseAuthentication:
KbdInteractiveAuthentication yesRestart SSH:
systemctl restart sshStep 5. Verify the configuration
Section titled “Step 5. Verify the configuration”Before restarting SSH, check the syntax:
sshd -tIf there are no errors, apply the settings:
systemctl restart sshVerification
Section titled “Verification”After all changes:
- open a new SSH connection;
- check key-based login;
- check 2FA login if you enabled it;
- make sure the old access methods are no longer needed.
If everything is configured correctly, SSH will be much more secure.