Concrete actions and commands to make SSH access resilient against common attacks. 16.11.2025 | reading time: 3 min SSH is the gateway to most Linux servers; left lax it becomes the weakest link. This short guide shows concrete commands and configuration changes you can apply now to harden OpenSSH and test the result. A quick lab: tighten a server On a test host simulate an insecure default and then harden it by backing up the config, disabling root and password login, changing port, and restarting the service; run the following sequence to apply changes and then test from a client with an expected authentication failure for passwords: ``` sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sudo tee /etc/ssh/sshd_config <<'EOF' Port 2222 Protocol 2 PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no PermitEmptyPasswords no LoginGraceTime 30 MaxAuthTries 3 AllowUsers alice EOF sudo systemctl restart sshd # From client: ssh -p 2222 alice@server.example.com # Expected: keyboard-interactive or publickey prompt and password attempts denied ``` Tune the most effective options Change a few parameters and you will cut most brute force and misconfiguration risks: set `Protocol 2`, `PermitRootLogin no`, `PasswordAuthentication no`, reduce `MaxAuthTries` to 3, shorten `LoginGraceTime` to 30, restrict access with `AllowUsers` or `AllowGroups`, and consider moving the service port away from 22 while remembering security by obscurity is only one layer. Manage keys and per-key restrictions Use SSH keys instead of passwords and lock keys down in `~/.ssh/authorized_keys` with options like `command=`, `from=`, `no-pty`, and `no-agent-forwarding` to constrain what a key can do; rotate and revoke keys by removing them from authorized lists and log key usage with `sshd` and your audit tools. Complementary defenses to reduce exposure Hardening sshd_config is necessary but not sufficient; add intrusion prevention like fail2ban or sshguard to block repeated attempts, place a bastion or jump host in front of internal systems, enable two-factor authentication through a PAM module for interactive logins, and combine with firewall rules using nftables or iptables to limit source networks. Practical checks and monitoring After changes, test from an allowed client and from a blocked source, scan the host with an external SSH scanner to verify banner and port, monitor `/var/log/auth.log` or journald for suspicious entries, and schedule periodic audits of `sshd_config` and authorized_keys to ensure settings and key lists remain tight. A next step for a career-minded admin Hardening SSH is a hands-on skill that fits into broader Linux security practice; keep practicing, document your configurations, and consider formal study to deepen skill and show competence with certificates such as CompTIA Linux+ or LPIC-1 while exploring intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security network utilities
