How to Harden SSH on Linux: 8 Essential Security Steps

SSH is a widely used protocol for securely accessing Linux servers, but its default settings can expose several security risks, especially when root login is allowed over a public IP address.

1. Disable root login

Create a new user with sudo privileges and prevent direct root SSH access.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit /etc/ssh/sshd_config to add:

# PermitRootLogin no
AllowUsers exampleroot

Restart the SSH service:

sudo systemctl restart ssh

2. Change the default port

Modify the port number in /etc/ssh/sshd_config to make automated scans harder. Port 22099 After saving, restart SSH and, if a firewall is used, adjust the rules accordingly. Verify the change with netstat -tlpn.

3. Disallow empty passwords

Set PermitEmptyPasswords no in sshd_config to block accounts without passwords.

PermitEmptyPasswords no

4. Limit authentication attempts

Reduce the number of allowed password tries to mitigate brute‑force attacks.

MaxAuthTries 3

5. Enforce SSH protocol version 2

Enable the more secure protocol by adding:

Protocol 2

6. Disable TCP and X11 forwarding

Prevent attackers from tunneling other services through SSH.

X11Forwarding no
AllowTcpForwarding no

7. Use SSH key authentication

Generate a key pair with ssh-keygen, keep the private key secure, and place the public key on the server. This eliminates password‑based logins.

ssh-keygen

8. Restrict SSH access by IP

Edit /etc/hosts.allow (or firewall rules) to permit only trusted IP ranges and deny all others.

After applying these configurations, restart the SSH daemon to apply the changes.

Why Linux server security matters

Securing SSH is a fundamental step in protecting Linux servers, which host critical data and services. Proper hardening reduces the attack surface and helps prevent unauthorized access, complementing broader server‑hardening practices.