IPFYI
🖥️ Server Administration 6 min de lecture

SSH Hardening Guide

Secure your SSH server with key-based auth, configuration hardening, and brute-force protection.

Why Harden SSH?

SSH is the primary way servers are administered remotely. A default SSH installation is functional but not optimally secure. Internet-facing SSH servers receive thousands of brute-force attempts daily.

Key-Based Authentication

The single most important SSH hardening step is switching from password to key-based authentication.

Generate a Key Pair

# Generate an Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"

# Or RSA with 4096 bits
ssh-keygen -t rsa -b 4096 -C "[email protected]"

Copy Your Public Key to the Server

ssh-copy-id user@server

Disable Password Authentication

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

Essential sshd_config Settings

# /etc/ssh/sshd_config

# Disable root login
PermitRootLogin no

# Disable password auth (use keys only)
PasswordAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts
MaxAuthTries 3

# Timeout idle sessions (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0

# Only allow specific users
AllowUsers deploy admin

# Use only SSH protocol 2
Protocol 2

After editing, restart SSH:

sudo systemctl restart sshd

Brute-Force Protection with fail2ban

fail2ban monitors log files and bans IP addresses that show malicious signs.

# Install
sudo apt install fail2ban

# Configure SSH jail
sudo cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 3600
findtime = 600
EOF

# Start
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check banned IPs:

sudo fail2ban-client status sshd

Additional Hardening

  • Change the default port — Move SSH from 22 to a high port (e.g., 2222) to reduce automated scanning noise
  • Use a bastion/jump host — Don't expose SSH directly; connect through a hardened gateway
  • Enable 2FA — Use Google Authenticator or similar for an additional authentication factor
  • Restrict source IPs — If you have a static IP, allow SSH only from that address using firewall rules
  • Use VPN — Access SSH only through a VPN (Tailscale, WireGuard) to avoid exposing port 22 entirely

Voir aussi

Caching Glossaire CDN Glossaire CORS Glossaire HTTP Status Codes Glossaire Load Balancer Glossaire REST API Glossaire Reverse Proxy Glossaire WebSocket Glossaire SSL vs TLS Comparer SFTP vs FTPS Comparer SSH vs Telnet Comparer Traceroute vs Ping Comparer