🖥️ Server Administration
6 分で読める
SSH Hardening Guide
Secure your SSH server with key-based auth, configuration hardening, and brute-force protection.
Why Harden SSH?
SSH is the primary way servers are administered remotely. A default SSH installation is functional but not optimally secure. Internet-facing SSH servers receive thousands of brute-force attempts daily.
Key-Based Authentication
The single most important SSH hardening step is switching from password to key-based authentication.
Generate a Key Pair
# Generate an Ed25519 key (recommended)
ssh-keygen -t ed25519 -C "[email protected]"
# Or RSA with 4096 bits
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Copy Your Public Key to the Server
ssh-copy-id user@server
Disable Password Authentication
Edit /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
Essential sshd_config Settings
# /etc/ssh/sshd_config
# Disable root login
PermitRootLogin no
# Disable password auth (use keys only)
PasswordAuthentication no
# Disable empty passwords
PermitEmptyPasswords no
# Limit authentication attempts
MaxAuthTries 3
# Timeout idle sessions (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0
# Only allow specific users
AllowUsers deploy admin
# Use only SSH protocol 2
Protocol 2
After editing, restart SSH:
sudo systemctl restart sshd
Brute-Force Protection with fail2ban
fail2ban monitors log files and bans IP addresses that show malicious signs.
# Install
sudo apt install fail2ban
# Configure SSH jail
sudo cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 3600
findtime = 600
EOF
# Start
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Check banned IPs:
sudo fail2ban-client status sshd
Additional Hardening
- Change the default port — Move SSH from 22 to a high port (e.g., 2222) to reduce automated scanning noise
- Use a bastion/jump host — Don't expose SSH directly; connect through a hardened gateway
- Enable 2FA — Use Google Authenticator or similar for an additional authentication factor
- Restrict source IPs — If you have a static IP, allow SSH only from that address using firewall rules
- Use VPN — Access SSH only through a VPN (Tailscale, WireGuard) to avoid exposing port 22 entirely