Skip to content

How to Harden an SSH Server

Key idea:

SSH brute-force is the #1 attack on Linux servers. Basic hardening in 30 min blocks 99% of attacks: disable password auth (keys only), change the port from 22, AllowUsers whitelist, fail2ban for brute-force, optional TOTP MFA. Always keep a second terminal open when editing sshd_config in case of errors.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your site's security →

Step-by-Step Setup

  1. Generate an SSH key on the client: ssh-keygen -t ed25519 -a 100
  2. Copy the pubkey to the server: ssh-copy-id user@host
  3. Verify key-based login BEFORE disabling password auth
  4. In /etc/ssh/sshd_config: PasswordAuthentication no, PubkeyAuthentication yes, PermitRootLogin prohibit-password
  5. Add AllowUsers admin deploy (user whitelist)
  6. Optional: change the port (Port 2222) — security through obscurity; 90% of attacks target port 22
  7. sshd -t to check config, systemctl reload sshd
  8. Install fail2ban: apt install fail2ban (default sshd jail already set)

Working Examples

ScenarioConfig
Basic /etc/ssh/sshd_configPort 2222 PermitRootLogin prohibit-password PasswordAuthentication no PubkeyAuthentication yes AllowUsers admin ClientAliveInterval 300 ClientAliveCountMax 2 MaxAuthTries 3
Generate ed25519 keyssh-keygen -t ed25519 -a 100 -C "admin@example.com"
Fail2ban sshd jail[sshd] enabled = true maxretry = 3 bantime = 3600 findtime = 600
TOTP MFA (pam_google_authenticator)apt install libpam-google-authenticator\ngoogle-authenticator # run as user\n# Then edit /etc/pam.d/sshd + sshd_config: ChallengeResponseAuthentication yes
UFW + SSH rate-limitufw limit 2222/tcp # 6 connections per 30 sec

Common Pitfalls

  • Disabled password auth without verifying keys first — locked out
  • Changed port but didn't update firewall/UFW — connection refused
  • PermitRootLogin yes in 2026 — anti-pattern. Use a sudo user
  • AllowUsers with a typo in username — nothing works
  • MaxAuthTries too high (6+) — eases brute-force

TL;DR

To harden an SSH server in 2026, implement the following measures: disable root login, change the default SSH port, use key-based authentication, and utilize fail2ban to prevent brute-force attacks. Additionally, configure SSH to use the latest protocols and disable outdated ones, ensuring your server is compliant with current security standards.

Disabling Root Login and Changing Default SSH Port

One of the first steps in hardening your SSH server is to disable root login. Allowing direct root access can expose your server to unnecessary risks. To disable root login, edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Locate the following line:

#PermitRootLogin yes

Change it to:

PermitRootLogin no

This ensures that even if an attacker knows the root password, they cannot log in directly. Save the changes and exit the editor.

Next, changing the default SSH port from 22 to a less common port can further enhance security. This reduces the likelihood of automated attacks. To change the port, find the line:

#Port 22

And modify it to:

Port 2222

Replace '2222' with any unused port number in the range of 1024 to 65535. Ensure that the new port is allowed through your firewall:

sudo ufw allow 2222/tcp

After making these changes, restart the SSH service:

sudo systemctl restart sshd

Now, your SSH server will be less accessible to common attacks, increasing overall security.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

ed25519 vs RSA?

ed25519 is faster, more modern, shorter (32 bytes vs 2048+ bit). RSA only for legacy clients (pre-2014).

Is port change real defence?

Security through obscurity. Blocks mass bot scanners (90% scan only :22). Does not stop targeted attack on your server.

Should I disable root entirely?

Better <code>PermitRootLogin prohibit-password</code> (key-only) + sudo user. Full no — requires console access for emergencies.

How to verify security?

<a href="/en/security">Enterno Security Scanner</a> + <code>ssh-audit</code> open-source tool. Plus audit auth.log for failed attempts.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.