SSH brute-force is the #1 attack on Linux servers. Basic hardening in 30 min blocks 99% of attacks: disable password auth (keys only), change the port from 22, AllowUsers whitelist, fail2ban for brute-force, optional TOTP MFA. Always keep a second terminal open when editing sshd_config in case of errors.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — website security scanner: instant results, no signup.
ssh-keygen -t ed25519 -a 100ssh-copy-id user@hostPasswordAuthentication no, PubkeyAuthentication yes, PermitRootLogin prohibit-passwordAllowUsers admin deploy (user whitelist)Port 2222) — security through obscurity; 90% of attacks target port 22sshd -t to check config, systemctl reload sshdapt install fail2ban (default sshd jail already set)| Scenario | Config |
|---|---|
| Basic /etc/ssh/sshd_config | Port 2222
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers admin
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3 |
| Generate ed25519 key | ssh-keygen -t ed25519 -a 100 -C "admin@example.com" |
| Fail2ban sshd jail | [sshd]
enabled = true
maxretry = 3
bantime = 3600
findtime = 600 |
| TOTP MFA (pam_google_authenticator) | apt install libpam-google-authenticator\ngoogle-authenticator # run as user\n# Then edit /etc/pam.d/sshd + sshd_config: ChallengeResponseAuthentication yes |
| UFW + SSH rate-limit | ufw limit 2222/tcp # 6 connections per 30 sec |
To harden an SSH server in 2026, implement the following measures: disable root login, change the default SSH port, use key-based authentication, and utilize fail2ban to prevent brute-force attacks. Additionally, configure SSH to use the latest protocols and disable outdated ones, ensuring your server is compliant with current security standards.
One of the first steps in hardening your SSH server is to disable root login. Allowing direct root access can expose your server to unnecessary risks. To disable root login, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config Locate the following line:
#PermitRootLogin yes Change it to:
PermitRootLogin no This ensures that even if an attacker knows the root password, they cannot log in directly. Save the changes and exit the editor.
Next, changing the default SSH port from 22 to a less common port can further enhance security. This reduces the likelihood of automated attacks. To change the port, find the line:
#Port 22 And modify it to:
Port 2222 Replace '2222' with any unused port number in the range of 1024 to 65535. Ensure that the new port is allowed through your firewall:
sudo ufw allow 2222/tcp After making these changes, restart the SSH service:
sudo systemctl restart sshd Now, your SSH server will be less accessible to common attacks, increasing overall security.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeed25519 is faster, more modern, shorter (32 bytes vs 2048+ bit). RSA only for legacy clients (pre-2014).
Security through obscurity. Blocks mass bot scanners (90% scan only :22). Does not stop targeted attack on your server.
Better <code>PermitRootLogin prohibit-password</code> (key-only) + sudo user. Full no — requires console access for emergencies.
<a href="/en/security">Enterno Security Scanner</a> + <code>ssh-audit</code> open-source tool. Plus audit auth.log for failed attempts.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.