Securing Your Linux Server: Essential SSH Hardening Techniques

SSH (Secure Shell) is the gateway to your Linux server, making it a prime target for attackers. Follow these steps to fortify your SSH configuration against brute-force attacks and unauthorized access.

1. Change the Default SSH Port

The default port 22 is constantly scanned by bots.

sudo nano /etc/ssh/sshd_config

Replace #Port 22 with a non-standard port (e.g., Port 58239). Save and restart SSH:

sudo systemctl restart sshd

⚠️ Warning: Update firewall rules (e.g., ufw allow 58239/tcp) first!

2. Disable Root Login

Prevent direct root access:

PermitRootLogin no  # Add/modify this line in sshd_config

Create a privileged sudo user instead:

adduser sysadmin && usermod -aG sudo sysadmin

3. Enforce Key-Based Authentication

Passwords are vulnerable. Use SSH keys:
On your local machine:

ssh-keygen -t ed25519  # Generate a key pair

Copy the public key to the server:

ssh-copy-id -p YOUR_PORT sysadmin@SERVER_IP

Disable password authentication:

PasswordAuthentication no  # Set in sshd_config

4. Restrict User Access

Allow only specific users/groups:

AllowUsers sysadmin admin_user  # Whitelist users
AllowGroups ssh-users          # Whitelist groups

Create the group:

groupadd ssh-users && usermod -aG ssh-users sysadmin

5. Harden Cryptography Settings

Force modern ciphers and algorithms. Add to sshd_config:

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-ed25519

6. Enable Fail2Ban

Block brute-force attempts:

sudo apt install fail2ban  # Debian/Ubuntu
sudo systemctl enable --now fail2ban

Configure jail rules in /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = YOUR_SSH_PORT
maxretry = 3
bantime = 1h

7. Apply Two-Factor Authentication (Optional)

Use Google Authenticator for SSH:

sudo apt install libpam-google-authenticator   # Debian/Ubuntu

Edit /etc/pam.d/sshd:

auth required pam_google_authenticator.so

In sshd_config:

ChallengeResponseAuthentication yes

8. Automate Updates & Monitor Logs

Patch vulnerabilities regularly:

sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu

Audit SSH access attempts:

sudo grep "sshd" /var/log/auth.log | tail -50

Final Checklist

• Test all changes before disconnecting your session!
• Maintain backups of /etc/ssh/sshd_config.
• Use sshd -t to validate configuration syntax.

🔒 Pro Tip: Combine these with a firewall (e.g., ufw) and VPN for layered security.

By implementing these measures, you’ll transform SSH from a liability into a robust fortress. Stay vigilant and audit your server regularly!

> ✍️ Author’s Note: Security is iterative. Always follow the principle of least privilege.