Securing SSH access is crucial to prevent unauthorized logins and brute-force attacks. In this guide, I’ll share 14 essential steps that I personally use to harden SSH security on my Linux servers.
1. Disable Root Logins
Logging in as root via SSH is a major security risk. Instead, I always use a regular user with sudo privileges.
To disable root login, edit the SSH configuration file:
sudo vim /etc/ssh/sshd_configFind and modify:
PermitRootLogin noRestart SSH:
sudo systemctl restart sshd2. Restrict SSH Access to Specific Users
By default, any system user can attempt to connect via SSH. I prefer to restrict access to only specific users:
sudo vim /etc/ssh/sshd_configAdd:
AllowUsers myuser anotheruserRestart SSH:
sudo systemctl restart sshd3. Disable SSH Protocol 1
SSH Protocol 1 is outdated and insecure. I always ensure that my server only allows Protocol 2:
sudo vim /etc/ssh/sshd_configModify:
Protocol 2Restart SSH:
sudo systemctl restart sshd4. Change the Default SSH Port
To reduce automated attacks, I change the default SSH port (22) to something less common:
sudo vim /etc/ssh/sshd_configModify:
Port 2223Restart SSH:
sudo systemctl restart sshdIf using SELinux, allow the new port:
sudo semanage port -a -t ssh_port_t -p tcp 22235. Set SSH Session Timeout
I prevent idle SSH sessions from staying open for too long by setting a timeout:
sudo vim /etc/ssh/sshd_configModify:
ClientAliveInterval 300ClientAliveCountMax 0Restart SSH:
sudo systemctl restart sshd6. Limit Maximum Authentication Attempts
To reduce brute-force attack risks, I set a limit on the number of failed login attempts:
sudo vim /etc/ssh/sshd_configModify:
MaxAuthTries 5Restart SSH:
sudo systemctl restart sshd7. Restrict SSH to a Specific IP Address
If my server has multiple network interfaces, I make SSH listen only on a specific IP address:
sudo vim /etc/ssh/sshd_configModify:
ListenAddress 192.168.10.112Restart SSH:
sudo systemctl restart sshd8. Disable Rhosts Authentication
To prevent potential security risks, I disable .rhosts authentication:
sudo vim /etc/ssh/sshd_configModify:
IgnoreRhosts yesRestart SSH:
sudo systemctl restart sshd9. Disable Empty Password Logins
I make sure no user can log in with an empty password, which is a huge security risk:
sudo vim /etc/ssh/sshd_configModify:
PermitEmptyPasswords noRestart SSH:
sudo systemctl restart sshd10. Disable Host-Based Authentication
Since host-based authentication can be risky, I always disable it:
sudo vim /etc/ssh/sshd_configModify:
HostbasedAuthentication noRestart SSH:
sudo systemctl restart sshd11. Enable Detailed SSH Logging
To monitor SSH activity, I set the logging level to INFO:
sudo vim /etc/ssh/sshd_configModify:
LogLevel INFORestart SSH:
sudo systemctl restart sshd12. Limit Maximum Concurrent Connections
I reduce the number of simultaneous SSH connections to prevent brute-force attacks:
sudo vim /etc/ssh/sshd_configModify:
MaxStartups 4Restart SSH:
sudo systemctl restart sshd13. Reduce Login Grace Time
To minimize the time allowed for authentication attempts, I shorten the login grace period:
sudo vim /etc/ssh/sshd_configModify:
LoginGraceTime 1mRestart SSH:
sudo systemctl restart sshd14. Disable Password Authentication (Use SSH Keys Only)
For maximum security, I disable password authentication and only allow SSH key authentication:
sudo vim /etc/ssh/sshd_configModify:
PasswordAuthentication noRestart SSH:
sudo systemctl restart sshdIf you’re not familiar with SSH key authentication, check out my guide on How to Set Up SSH Key-Based Authentication in Linux.
Try it out, and let me know if you run into any issues. Drop a comment below!
Related Posts:
How to Set Up SSH Key-Based Authentication in Linux
SSH into Raspberry Pi Zero over USB
Save, Load and Transfer Docker Images Easily
20 Linux Basic Commands You Must Know