SSH (Secure Shell) is the lifeline of remote server management, but if not secured properly, itβs an open invitation to attackers. Letβs harden SSH to keep the bad guys out. π
Everyone knows SSH runs on port 22. Letβs not make it easy for attackers. Change it to something uncommon.
Edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_configFind #Port 22, uncomment it, and change the number:
Port 1337 # π΄ββ οΈRestart SSH:
sudo systemctl restart sshDirect root login is a security risk. Disable it in /etc/ssh/sshd_config:
PermitRootLogin noRestart SSH:
sudo systemctl restart sshNow, always login with a non-root user and sudo when needed.
Passwords are weak. Use key-based authentication instead.
ssh-keygen -t ed25519 -C "hello@hisalman.in" # replace with your emailssh-copy-id user@your-serverNow, disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication noRestart SSH:
sudo systemctl restart sshBrute-force attacks are common. Fail2Ban blocks repeated failed attempts.
Install Fail2Ban:
sudo apt install fail2ban -yEnable SSH protection:
sudo nano /etc/fail2ban/jail.localAdd:
[sshd]
enabled = true
port = 1337 # your custom SSH port
maxretry = 5
bantime = 3600 # 1 hourRestart Fail2Ban:
sudo systemctl restart fail2banLimit SSH access to specific users by adding this to /etc/ssh/sshd_config:
AllowUsers youruserRestart SSH:
sudo systemctl restart sshWant extra security? Use Two-Factor Authentication (2FA).
Install Google Authenticator:
sudo apt install libpam-google-authenticator -yRun the setup:
google-authenticatorAnswer the prompts, then add this line to /etc/pam.d/sshd:
auth required pam_google_authenticator.soEnable it in /etc/ssh/sshd_config:
ChallengeResponseAuthentication yesRestart SSH:
sudo systemctl restart sshStay safe & happy hacking!