How to secure an SSH server

Topic: Servers linux

Harden sshd: disable password auth and root login, allow only key-based auth, use a non-default port if desired, and restrict users with AllowUsers. Verify with a new session before closing the current one so you do not lock yourself out.

Intent: How-to

Quick answer

  • Edit /etc/ssh/sshd_config: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes; add AllowUsers if you want to restrict who can log in.
  • Ensure every user who needs access has their public key in ~/.ssh/authorized_keys with correct permissions (700 .ssh, 600 authorized_keys).
  • Restart sshd (systemctl restart sshd or ssh); test login in a new terminal before disconnecting; keep console or serial access in case of lockout.

Prerequisites

Steps

  1. Backup and read current config

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak; grep -v '^#' /etc/ssh/sshd_config | grep -v '^$'; ensure you have key-based login working for at least one user before changing.

  2. Set secure options

    Set PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes; optionally Port 2222 and AllowUsers user1 user2; do not set options that break your current key login.

  3. Restart sshd and test

    sshd -t to test config; systemctl restart sshd; open a new SSH session (keep the old one open) and verify key login works; then close the old session.

  4. Harden further (optional)

    Consider MaxAuthTries 3, ClientAliveInterval/Count, and fail2ban or similar; ensure firewall allows only SSH from known IPs if possible.

Summary

You will tighten SSH server security by disabling password and root login, enforcing key-based auth, and optionally restricting users and port. Use this on any internet-facing or shared server to reduce brute-force and credential risk.

Prerequisites

  • Root or sudo; SSH access that currently works.
  • At least one user with key-based auth working (test before disabling passwords).

Steps

Step 1: Backup and read current config

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo grep -E '^[^#]' /etc/ssh/sshd_config

Confirm you can log in with a key in a second terminal before changing anything.

Step 2: Set secure options

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
# Optional:
# Port 2222
# AllowUsers alice bob

Comment or remove conflicting lines (e.g. PermitRootLogin yes).

Step 3: Restart sshd and test

sudo sshd -t
sudo systemctl restart sshd

In a new terminal, connect with your key. Do not disconnect the current session until the new one works. Then you can close the old session.

Step 4: Harden further (optional)

  • MaxAuthTries 3
  • ClientAliveInterval 60, ClientAliveCountMax 2
  • Install fail2ban or use firewall rules to limit attempts
  • Restrict source IPs in firewall if you have fixed IPs

Verification

  • New session with key succeeds; password login and root login are rejected; sshd -t passes.

Troubleshooting

Locked out after restart — Use console (physical, serial, or cloud provider console); restore sshd_config from backup and restart sshd; fix key or user then re-apply secure config.

Key refused — Check authorized_keys permissions (700 .ssh, 600 authorized_keys); ensure the key is one line; check sshd_config for AuthorizedKeysFile and PubkeyAuthentication yes.

Connection refused — Firewall may block the port; if you changed Port, connect to the new port; check systemctl status sshd and journalctl -u sshd.

Next steps

Continue to