SSH Security Best Practices
SSH is the primary remote access method for Linux servers. Proper configuration is essential.
Secure SSH Configuration
/etc/ssh/sshd_config
# Protocol and Port
Port 2222 # Non-standard port (security through obscurity)
Protocol 2 # SSH2 only
# Authentication
PermitRootLogin no # Never allow root login
MaxAuthTries 3 # Limit auth attempts
PubkeyAuthentication yes # Enable key auth
PasswordAuthentication no # Disable password auth
PermitEmptyPasswords no # No empty passwords
ChallengeResponseAuthentication no # Disable for most setups
# User/Group Restrictions
AllowUsers admin deploy # Only these users can SSH
AllowGroups sshusers # Or use groups
DenyUsers nobody # Explicit denies
# Session Security
ClientAliveInterval 300 # 5 minute timeout
ClientAliveCountMax 2 # 2 missed keepalives = disconnect
LoginGraceTime 60 # 60 seconds to authenticate
MaxSessions 3 # Max concurrent sessions
# Cryptography
Ciphers [email protected],[email protected]
MACs [email protected],[email protected]
KexAlgorithms [email protected],diffie-hellman-group16-sha512
# Logging
LogLevel VERBOSE # Detailed logging
SyslogFacility AUTH
# Other Security
X11Forwarding no # Disable unless needed
AllowTcpForwarding no # Disable unless needed
PermitTunnel no # Disable tunneling
GatewayPorts no
AllowAgentForwarding noApply Configuration
# Test configuration
sudo sshd -t
# Reload SSH
sudo systemctl reload sshdKey-Based Authentication
Generate Strong Keys
# ED25519 (Recommended - smaller, faster, secure)
ssh-keygen -t ed25519 -a 100 -C "[email protected]"
# RSA 4096 (for legacy compatibility)
ssh-keygen -t rsa -b 4096 -o -a 100 -C "[email protected]"
# Key options explained:
# -a 100 = 100 rounds of key derivation
# -o = OpenSSH format (more secure)
# -C = Comment for identificationDeploy Public Key
# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# Manual method
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
# Set correct permissions on server
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keysSSH Firewall Rules
# UFW
sudo ufw allow from 10.0.0.0/8 to any port 2222
sudo ufw deny 2222 # Deny all others
# iptables with rate limiting
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROPfail2ban for SSH
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
# Restart fail2ban
sudo systemctl restart fail2ban
# Check status
sudo fail2ban-client status sshdSSH Security Checklist
| Setting | Recommended | Why |
|---|---|---|
| Root login | Disabled | Never allow direct root access |
| Password auth | Disabled | Keys only |
| Port | Non-standard | Reduces automated attacks |
| Key type | ED25519 | Modern, secure, fast |
| fail2ban | Enabled | Automatic blocking |
| MaxAuthTries | 3 | Limit brute force |
Monitoring SSH
# Watch auth log in real-time
sudo tail -f /var/log/auth.log | grep sshd
# Count failed attempts
sudo grep "Failed password" /var/log/auth.log | wc -l
# List currently connected SSH users
who
w
ss -tnp | grep :22 - ssh
- openssh
- remote access
- key authentication
- security