5 Essential SSH Best Practices to Harden Your Linux Server

1. Enable Two‑Factor Authentication

Two‑factor authentication requires two distinct forms of verification before granting access, such as a password plus a one‑time code sent to a mobile device. While OTPs can be vulnerable to MITM attacks, any two‑factor method is more secure than single‑factor authentication.

Strong factors like USB keys or Touch ID further enhance security, ensuring that SSH logins require multiple credentials rather than just a password or key.

2. Change Default Settings

Change the Default Port

By default SSH listens on port 22, which attackers often scan first. Switching to a non‑standard port reduces exposure to automated scans.

Port 7001

Disable Root Login

Allowing direct root SSH access is risky because it grants full system control. Disable it by editing /etc/ssh/sshd_config: PermitRootLogin no Then reload the service: /etc/init.d/sshd reload or restart: /etc/init.d/sshd restart Disabling root login helps track individual user activity and improves auditability.

Disable Password Authentication

Password‑based logins are convenient but prone to theft. Replacing passwords with secure certificates (public‑key authentication) mitigates this risk.

Restrict Access with AllowUsers

By default all system users can SSH in. Limiting SSH access to specific users via the AllowUsers directive minimizes the attack surface.

3. Use SSH Keys for Client Authentication

Public‑key authentication is a stronger alternative to passwords, though it requires safeguarding private keys on client devices. SSH keys function like passwords but are exchanged as text and can be verified using X.509 certificates, providing a scalable and secure login method.

4. Deploy a Bastion Host

A bastion host sits in the public network, acting as the first point of contact before the firewall. It isolates external traffic and protects internal systems by limiting direct SSH exposure.

5. Configure a Firewall

Firewalls enforce predefined rules on inbound and outbound traffic. Linux administrators can use iptables (netfilter) to allow SSH connections only from trusted IPs, ports, or protocols, and to limit connection rates, thereby reducing the likelihood of brute‑force attacks.

Conclusion

The recommended practices are not mandatory but should be adapted to organizational and compliance requirements. Implementing them—especially two‑factor authentication, certificate‑based login, and bastion hosts—can be complex for small teams.