SSH Hardening

All changes below go in /etc/ssh/sshd_config (or a file in /etc/ssh/sshd_config.d/). After editing, validate and restart:

sudo sshd -t            # test config for syntax errors
sudo systemctl restart sshd

Always keep an existing SSH session open while testing changes — if you lock yourself out, the open session is your recovery path.

Essential Changes

PermitRootLogin no

Force use of a regular user + sudo. Eliminates the most brute-forced username.

Disable password authentication

PasswordAuthentication no

Key-only authentication. Make sure your key is in ~/.ssh/authorized_keys and working before enabling this.

Restrict to specific users

AllowUsers your-username deployer

Whitelist approach — only listed users can SSH in. Everyone else is rejected before auth is even attempted. Remember to add new users here if they need SSH access.

Change the default port

Port 2222

Not real security (port scanners find it), but cuts down on automated brute-force noise significantly. Update your firewall rules to match:

sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

Recommended Settings

Setting	Value	Purpose
`PubkeyAuthentication`	`yes`	Enable key-based auth (usually default)
`AuthorizedKeysFile`	`.ssh/authorized_keys`	Default key location
`ChallengeResponseAuthentication`	`no`	Disable keyboard-interactive auth
`KbdInteractiveAuthentication`	`no`	Same as above (newer name)
`UsePAM`	`yes`	Keep PAM enabled for account checks
`X11Forwarding`	`no`	Disable unless you need remote GUI apps
`PermitEmptyPasswords`	`no`	Never allow empty passwords
`MaxAuthTries`	`3`	Lock out after N failed attempts per connection
`LoginGraceTime`	`30`	Seconds before unauthenticated connection is dropped
`ClientAliveInterval`	`300`	Send keepalive every N seconds
`ClientAliveCountMax`	`2`	Drop connection after N missed keepalives

Key Management

Generate a key pair

ssh-keygen -t ed25519 -C "your-email@example.com"

Ed25519 is the current recommendation — short keys, fast, strong. Use RSA 4096 only if you need compatibility with old systems.

Copy public key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@example.com

Verify permissions on the server

SSH is strict about file permissions. If these are wrong, key auth silently fails:

~/.ssh/                → 700  (drwx------)
~/.ssh/authorized_keys → 600  (-rw-------)
~/                     → 755  (drwxr-xr-x) or stricter

Check with:

ls -la ~/.ssh/
ls -ld ~/

Fail2ban Integration

Fail2ban watches auth logs and bans IPs that fail too many times. Essential complement to SSH hardening.

Install and enable

sudo apt install fail2ban
sudo systemctl enable --now fail2ban

SSH jail config

Create /etc/fail2ban/jail.local (don’t edit jail.conf directly — it gets overwritten on updates):

[sshd]
enabled = true
port = 2222
maxretry = 3
findtime = 600
bantime = 3600

Setting	Meaning
`maxretry`	Ban after N failures
`findtime`	Within this window (seconds)
`bantime`	Duration of ban (seconds). Use `-1` for permanent.

Useful commands

sudo fail2ban-client status sshd       # show jail stats and banned IPs
sudo fail2ban-client set sshd unbanip 1.2.3.4   # unban an IP
sudo fail2ban-client set sshd banip 1.2.3.4     # manually ban an IP

Quick Audit Checklist

After configuring, verify the state:

# Check which auth methods are active
sudo sshd -T | grep -i -E 'passwordauth|pubkeyauth|permitroot|allowusers|port '

# Check for open SSH port
sudo ss -tlnp | grep sshd

# Check fail2ban is running
sudo fail2ban-client status sshd

Sample hardened sshd_config block

Port 2222
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
UsePAM yes
X11Forwarding no
PermitEmptyPasswords no
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers your-username