Cantech Knowledge Base

Your Go-To Hosting Resource

  1. Linux
  2. How to Harden Server SSH Access Using Advanced OpenSSH Features?

How to Harden Server SSH Access Using Advanced OpenSSH Features?

Securing your SSH access is crucial, if you’re running a Linux server (especially Ubuntu). SSH is your gateway to the server, and leaving it open to attacks can expose you to serious risks — from brute-force login attempts to full-blown server compromises.

In this blog, we’ll walk you through how to harden server SSH access using advanced OpenSSH features. Let’s lock things down!

1. Disable Root Login

By default, SSH allows logging in directly as root. It is dangerous because attackers often target the root account first.

To disable root login:

Open your SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and update this line:

PermitRootLogin no

Restart SSH:

sudo systemctl restart ssh

It forces users to log in using normal accounts and then use sudo — adding an extra layer of protection.

2. Use SSH Key-Based Authentication (and Disable Passwords)

Forget weak passwords. With SSH key pairs, your logins are far more secure.

To set this up:

1. Generate a key pair on your local machine

ssh-keygen -t ed25519

2. Copy the public key to your server:

ssh-copy-id username@your_server_ip

3. Now disable password login (edit sshd_config again):

PasswordAuthentication no
PubkeyAuthentication yes

You’ve just made your SSH login nearly brute-force-proof.

3. Change the Default SSH Port

Most bots and attackers scan port 22. Changing the port helps hide your SSH service.

Edit your config:

Port 2222

Make sure your firewall allows the new port:

sudo ufw allow 2222/tcp

It reduces exposure to automated SSH attacks.

4. Allow Only Specific Users or Groups

Want to restrict SSH access to just a few users? You can.

In your sshd_config:

AllowUsers cantech adminuser
# or
AllowGroups sshaccess

Only listed users or members of the specified group can log in via SSH.

5. Enable Idle Timeout to Auto-Disconnect

Forgotten sessions can be risky. Let’s set timeouts.

Add this to sshd_config:

ClientAliveInterval 300
ClientAliveCountMax 2

It disconnects idle sessions after 10 minutes of inactivity.

6. Enable Two-Factor Authentication (2FA)

Want extra security? Add Google Authenticator.
Steps:

1. Install:

sudo apt install libpam-google-authenticator

2. On each user account, run:

Google-authenticator

3. Update PAM and SSH:

# /etc/pam.d/sshd
auth required pam_google_authenticator.so|
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes

Users now need both an SSH key and a TOTP from their authenticator app to log in.

7. Disable SSH Protocol 1

Protocol 1 is outdated and insecure. Stick to Protocol 2.

Protocol 2

Prevents use of insecure encryption standards.

8. Use a Strong SSH Key Algorithm

Use newer, safer algorithms like ed25519 or ecdsa instead of RSA.

ssh-keygen -t ed25519

Update sshd_config:

HostKey /etc/ssh/ssh_host_ed25519_key

Stronger encryption = more secure access.

9. Restrict Port Forwarding, X11, and Tunneling

Unless you really need them, turn off these features.

AllowTcpForwarding no
PermitTunnel no
X11Forwarding no

It prevents attackers from using SSH for sneaky backdoors.

10. Use Match Blocks for Granular Control

Want to apply different rules to different users? Use Match blocks.

Match User cantech
    AllowTcpForwarding yes
    X11Forwarding no

This gives you fine-grained control over user permissions.

11. Set Login Attempt Limits

Don’t give attackers unlimited tries!

MaxAuthTries 3
MaxSessions 2

Limits the number of authentication attempts per connection.

12. Use Fail2Ban to Block Brute Force IPs

Fail2Ban watches your logs and bans IPs that fail too many times.

Install it:

sudo apt install fail2ban

Configure /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Protects your SSH service from bots and brute-force attacks.

13. Use IP Allowlisting

Allow SSH only from specific IPs.

Example (with UFW):

sudo ufw allow from 203.0.113.1 to any port 2222

Limits access to only trusted machines.

14. Monitor Logs and Stay Updated

Check your SSH logs often:

tail -f /var/log/auth.log

Keep your packages updated:

sudo apt update && sudo apt upgrade

Security is a continuous process — not a one-time fix.

Optional: Use Port Knocking or VPN

For extreme hardening:

  • Use port knocking to hide your SSH port until a secret sequence is sent.
  • Or run SSH access only through a VPN.

These advanced setups make your server virtually invisible to attackers.

Final Thoughts

You’ve now learned how to use advanced OpenSSH features to lock down your server like a pro. These best practices — like SSH key authentication, 2FA, fail2ban, idle timeouts, and IP allowlisting — dramatically reduce your risk of compromise.

Hardening SSH isn’t just about security — it’s peace of mind.

1. What is SSH hardening?

SSH hardening is the process of strengthening your SSH server configuration to reduce vulnerabilities and prevent unauthorized access.

2. Why should I disable root login in SSH?

Disabling root login helps prevent direct attacks on the superuser account, forcing attackers to compromise a regular user account first.

3. Is changing the SSH port really effective?

While not foolproof, changing the default port helps hide SSH from basic port scanners and bots.

4. How do I secure SSH with Fail2Ban?

Install Fail2Ban, configure the jail for SSH, and it’ll automatically ban IPs after multiple failed logins.

5. Should I use RSA or Ed25519 for SSH keys?

Use ed25519 — it’s faster, more secure, and the recommended modern standard.

May 26, 2025