Skip to content

SSH Security

This guide shows how to harden SSH on a Linux server.

Apply the changes step by step and do not close your current SSH session until you verify the new configuration.

Make sure you have:

  • access to the server as root or through a user with sudo;
  • OpenSSH in use;
  • a way to restore access from the provider console if you lock yourself out.

If the server uses ssh.socket instead of the regular ssh.service, disable socket mode first:

Окно терминала
sudo systemctl stop ssh.socket
sudo systemctl disable ssh.socket
sudo systemctl enable ssh
sudo systemctl restart ssh

You can check the current mode with:

Окно терминала
sudo systemctl status ssh

The main settings are stored in /etc/ssh/sshd_config.

First create a separate administrative user:

Окно терминала
useradd -m -U -s /bin/bash -G sudo holu
passwd holu

Then disable root login:

Окно терминала
PermitRootLogin no

To disconnect an SSH session after inactivity, add:

Окно терминала
ClientAliveInterval 300
ClientAliveCountMax 1

If only certain accounts should be allowed to connect, list them explicitly:

Окно терминала
AllowUsers holu holu2

Change the port from 22 to any other port you want to use for SSH:

Окно терминала
Port SELECTED_PORT

If you change the port, remember to update your firewall rules.

Disable features that are not needed for regular SSH access:

Окно терминала
AllowTcpForwarding no
X11Forwarding no
AllowAgentForwarding no
AuthorizedKeysFile .ssh/authorized_keys

To reduce brute-force risk, limit the number of login attempts:

Окно терминала
MaxAuthTries 2

Make sure public-key authentication is enabled:

Окно терминала
PubkeyAuthentication yes

On the client machine, generate a key:

Окно терминала
ssh-keygen -t rsa -b 4096

On a Linux client, copy the key with:

Окно терминала
ssh-copy-id -i ~/.ssh/id_rsa.pub -p SELECTED_PORT holu@your_host

On Windows, you can manually add the public key contents to:

/home/holu/.ssh/authorized_keys

Test the key-based connection:

Окно терминала
ssh -i ~/.ssh/id_rsa -p SELECTED_PORT holu@your_host

If you want an additional layer of protection, use Google Authenticator or Aegis.

On Ubuntu / Debian:

Окно терминала
apt install libpam-google-authenticator

On CentOS / RedHat:

Окно терминала
yum install epel-release
yum install google-authenticator

On Arch Linux:

Окно терминала
pacman -S libpam-google-authenticator

On openSUSE / SLES:

Окно терминала
zypper install google-authenticator-libpam

Start the setup:

Окно терминала
google-authenticator

Then:

  1. Answer y if you want time-based tokens.
  2. Scan the QR code in the app.
  3. Save the backup codes.
  4. Confirm the remaining prompts.

In /etc/pam.d/sshd, comment out:

@include common-auth

Then add:

auth required pam_google_authenticator.so

In /etc/ssh/sshd_config, enable:

Окно терминала
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

If you are using Ubuntu 22.04 or newer, use this instead of ChallengeResponseAuthentication:

Окно терминала
KbdInteractiveAuthentication yes

Restart SSH:

Окно терминала
systemctl restart ssh

Before restarting SSH, check the syntax:

Окно терминала
sshd -t

If there are no errors, apply the settings:

Окно терминала
systemctl restart ssh

After all changes:

  • open a new SSH connection;
  • check key-based login;
  • check 2FA login if you enabled it;
  • make sure the old access methods are no longer needed.

If everything is configured correctly, SSH will be much more secure.