To secure an SSH server, implement strong authentication, limit access, change default settings, configure firewall rules, and keep the system updated. First, enable SSH key pairs with passphrases and disable password authentication entirely after uploading public keys to authorized_keys. Second, restrict root login by setting PermitRootLogin no and allow only specific users or groups using AllowUsers or AllowGroups. Third, change the default SSH port from 22 to a custom port like 2222 in sshd_config and adjust firewall rules accordingly. Fourth, use a firewall such as UFW to allow SSH connections only from trusted IPs and apply rate-limiting with tools like fail2ban to block repeated login attempts. Lastly, regularly update the OS and SSH packages via sudo apt update && sudo apt upgrade and enable automatic updates to protect against known vulnerabilities.
Securing an SSH server is essential for protecting your system from unauthorized access. While SSH itself is a secure protocol, misconfigurations or weak practices can expose your server to attacks. Here are some practical steps you can take to harden your SSH setup.
Use Strong Authentication Methods
One of the first things you should do is move away from weak password-based authentication.
-
Enable SSH key pairs – Passwords can be guessed or brute-forced. Using public/private key pairs adds a much higher level of security.
- Generate a strong key pair using
ssh-keygen - Set a passphrase for the private key
- Upload the public key to the server's
~/.ssh/authorized_keysfile
- Generate a strong key pair using
-
Disable password login entirely
In your SSH config (/etc/ssh/sshd_config), set:PasswordAuthentication no
Make sure you’ve added your public key before disabling passwords — otherwise, you might lock yourself out.
Limit User Access and Login Options
SSH access should only be granted to those who need it.
Restrict root login
The root account has full control, so allowing direct login via SSH is risky. Instead, disable it:PermitRootLogin no
Allow only specific users
Use theAllowUsersdirective insshd_configto limit SSH access to known accounts:AllowUsers user1 user2
Use groups to manage access
You can also allow logins by group:AllowGroups sshusers
This makes managing permissions easier when multiple people need access.
Change the Default SSH Port
Running SSH on port 22 is standard — which means it’s also the first target for attackers. Changing the port won’t stop determined hackers, but it will reduce noise from automated scans.
In sshd_config, change:
Port 2222
Then make sure your firewall allows traffic on that port. This small tweak can significantly cut down on botnet login attempts.
Set Up Firewall Rules and Rate Limiting
Even with good SSH settings, your server can still be exposed to repeated login attempts.
Use a firewall (like UFW or iptables)
Only allow SSH connections from trusted IP ranges if possible:ufw allow from 192.168.1.0/24 to any port 2222
Rate-limit connection attempts
Tools likefail2banmonitor logs and block IPs after repeated failed login attempts. It’s easy to install and configure, and it helps protect against brute-force attacks.
A simple fail2ban rule can block suspicious activity for a few minutes — often enough to deter most scripts.
Keep Your System and SSH Updated
Outdated software is one of the easiest ways for attackers to gain access.
Regularly update your OS and SSH packages:
sudo apt update && sudo apt upgrade
Subscribe to security mailing lists or use tools like
unattended-upgradesto apply critical patches automatically.
Older versions of OpenSSH have had serious vulnerabilities — staying updated ensures you’re protected.
That’s basically it. These steps aren't overly complicated, but they go a long way toward securing your SSH server. Some are small tweaks, like changing the port, while others, like using keys and limiting access, are foundational. A little effort upfront can prevent a lot of trouble later.
The above is the detailed content of What are some best practices for securing an SSH server?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
5 Best Open Source Mathematical Equation Editors for Linux
Jun 18, 2025 am 09:28 AM
Are you looking for good software to write mathematical equations? If so, this article provides the top 5 equation editors that you can easily install on your favorite Linux distribution.In addition to being compatible with different types of mathema
SCP Linux Command – Securely Transfer Files in Linux
Jun 20, 2025 am 09:16 AM
Linux administrators should be familiar with the command-line environment. Since GUI (Graphical User Interface) mode in Linux servers is not commonly installed.SSH may be the most popular protocol to enable Linux administrators to manage the servers
Gogo - Create Shortcuts to Directory Paths in Linux
Jun 19, 2025 am 10:41 AM
Gogo is a remarkable tool to bookmark directories inside your Linux shell. It helps you create shortcuts for long and complex paths in Linux. This way, you no longer need to type or memorize lengthy paths on Linux.For example, if there's a directory
Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux
Jul 05, 2025 am 09:25 AM
LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support
What is a PPA and how do I add one to Ubuntu?
Jun 18, 2025 am 12:21 AM
PPA is an important tool for Ubuntu users to expand their software sources. 1. When searching for PPA, you should visit Launchpad.net, confirm the official PPA in the project official website or document, and read the description and user comments to ensure its security and maintenance status; 2. Add PPA to use the terminal command sudoadd-apt-repositoryppa:/, and then run sudoaptupdate to update the package list; 3. Manage PPAs to view the added list through the grep command, use the --remove parameter to remove or manually delete the .list file to avoid problems caused by incompatibility or stopping updates; 4. Use PPA to weigh the necessity and prioritize the situations that the official does not provide or require a new version of the software.
How to create a file of a specific size for testing?
Jun 17, 2025 am 09:23 AM
How to quickly generate test files of a specified size? It can be achieved using command line tools or graphical software. On Windows, you can use fsutilfilecreatenew file name size to generate a file with a specified byte; macOS/Linux can use ddif=/dev/zeroof=filebs=1Mcount=100 to generate real data files, or use truncate-s100M files to quickly create sparse files. If you are not familiar with the command line, you can choose FSUtilGUI, DummyFileGenerator and other tool software. Notes include: pay attention to file system limitations (such as FAT32 file size upper limit), avoid overwriting existing files, and some programs may
How to install Linux alongside Windows (dual boot)?
Jun 18, 2025 am 12:19 AM
The key to installing dual systems in Linux and Windows is partitioning and boot settings. 1. Preparation includes backing up data and compressing existing partitions to make space; 2. Use Ventoy or Rufus to make Linux boot USB disk, recommend Ubuntu; 3. Select "Coexist with other systems" or manually partition during installation (/at least 20GB, /home remaining space, swap optional); 4. Check the installation of third-party drivers to avoid hardware problems; 5. If you do not enter the Grub boot menu after installation, you can use boot-repair to repair the boot or adjust the BIOS startup sequence. As long as the steps are clear and the operation is done properly, the whole process is not complicated.
NVM - Install and Manage Multiple Node.js Versions in Linux
Jun 19, 2025 am 09:09 AM
Node Version Manager (NVM) is a simple bash script that helps manage multiple Node.js versions on your Linux system. It enables you to install various Node.js versions, view available versions for installation, and check already installed versions.NV
