How to Harden an SSH Server
SSH brute-force is the #1 attack on Linux servers. Basic hardening in 30 min blocks 99% of attacks: disable password auth (keys only), change the port from 22, AllowUsers whitelist, fail2ban for brute-force, optional TOTP MFA. Always keep a second terminal open when editing sshd_config in case of errors.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Generate an SSH key on the client:
ssh-keygen -t ed25519 -a 100 - Copy the pubkey to the server:
ssh-copy-id user@host - Verify key-based login BEFORE disabling password auth
- In /etc/ssh/sshd_config:
PasswordAuthentication no,PubkeyAuthentication yes,PermitRootLogin prohibit-password - Add
AllowUsers admin deploy(user whitelist) - Optional: change the port (
Port 2222) — security through obscurity; 90% of attacks target port 22 sshd -tto check config,systemctl reload sshd- Install fail2ban:
apt install fail2ban(default sshd jail already set)
Working Examples
| Scenario | Config |
|---|---|
| Basic /etc/ssh/sshd_config | Port 2222
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers admin
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3 |
| Generate ed25519 key | ssh-keygen -t ed25519 -a 100 -C "admin@example.com" |
| Fail2ban sshd jail | [sshd]
enabled = true
maxretry = 3
bantime = 3600
findtime = 600 |
| TOTP MFA (pam_google_authenticator) | apt install libpam-google-authenticator\ngoogle-authenticator # run as user\n# Then edit /etc/pam.d/sshd + sshd_config: ChallengeResponseAuthentication yes |
| UFW + SSH rate-limit | ufw limit 2222/tcp # 6 connections per 30 sec |
Common Pitfalls
- Disabled password auth without verifying keys first — locked out
- Changed port but didn't update firewall/UFW — connection refused
- PermitRootLogin yes in 2026 — anti-pattern. Use a sudo user
- AllowUsers with a typo in username — nothing works
- MaxAuthTries too high (6+) — eases brute-force
Why teams trust us
How it works
Enter site URL
Security headers analyzed
Get grade A–F
What Does the Security Analysis Check?
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Header Analysis
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
SSL Check
TLS version, certificate expiry, chain of trust, HSTS support.
Leak Detection
Finding exposed server versions, debug modes, open configs, and directories.
Report with Recommendations
Detailed report explaining each issue with specific steps to fix it.
Who uses this
Security teams
HTTP header audit
DevOps
config verification
Developers
CSP & HSTS setup
Auditors
compliance checks
Common Mistakes
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Best Practices
Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Get more with a free account
Security check history and HTTP security header monitoring.
Sign up freeLearn more
Frequently Asked Questions
ed25519 vs RSA?
ed25519 is faster, more modern, shorter (32 bytes vs 2048+ bit). RSA only for legacy clients (pre-2014).
Is port change real defence?
Security through obscurity. Blocks mass bot scanners (90% scan only :22). Does not stop targeted attack on your server.
Should I disable root entirely?
Better <code>PermitRootLogin prohibit-password</code> (key-only) + sudo user. Full no — requires console access for emergencies.
How to verify security?
<a href="/en/security">Enterno Security Scanner</a> + <code>ssh-audit</code> open-source tool. Plus audit auth.log for failed attempts.