How to Harden SSH on Linux: 8 Essential Security Steps

SSH is a widely used protocol for securely accessing Linux servers, but its default configuration can expose several security risks, especially when the root account is accessible over a public IP.

The following steps show how to protect SSH connections on Linux.

1. Disable root login

Create a new user with sudo privileges and prevent the root account from logging in via SSH.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit /etc/ssh/sshd_config to add:

# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers exampleroot

Restart the SSH service:

sudo systemctl restart ssh

2. Change the default port

The default SSH port (22) is well‑known to attackers. Change it to a non‑standard port, e.g., 22099.

Include /etc/ssh/sshd_config.d/*.conf
Port 22099

Restart SSH and adjust firewall rules accordingly.

3. Disallow empty passwords

Prevent users without passwords from logging in by setting:

PermitEmptyPasswords no

4. Limit login attempts

Reduce the number of allowed authentication attempts to mitigate brute‑force attacks.

MaxAuthTries 3

5. Use SSH protocol version 2

Enable the more secure SSH‑2 protocol:

Include /etc/ssh/sshd_config.d/*.conf 
Protocol 2

6. Disable TCP and X11 forwarding

Prevent attackers from tunneling through SSH by disabling forwarding:

X11Forwarding no 
AllowTcpForwarding no

7. Use SSH key authentication

Generate a key pair with ssh-keygen, keep the private key secure, and place the public key on the server. This eliminates password‑based logins.

ssh-keygen

8. Restrict SSH access by IP

Configure /etc/hosts.allow to allow only trusted IP ranges or specific addresses, denying all others.

After applying these settings, restart the SSH service to apply changes.