How to Harden SSH on Linux: 8 Essential Security Steps

SSH is a widely used protocol for securely accessing Linux servers, but its default configuration can expose several security risks, especially when the root account is allowed remote access.

1. Disable root login

Create a new user with sudo privileges and prevent direct root SSH access.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit /etc/ssh/sshd_config to include:

# PermitRootLogin no
AllowUsers exampleroot

2. Change the default port

The default SSH port (22) is well‑known to attackers. Change it to a non‑standard value, e.g., 22099, and restart the service. Port 22099 After editing the config, restart SSH:

sudo systemctl restart ssh

3. Disallow empty passwords

Prevent accounts without passwords from logging in by setting:

PermitEmptyPasswords no

4. Limit login attempts

Reduce brute‑force risk by limiting authentication retries:

MaxAuthTries 3

5. Enforce SSH protocol version 2

Protocol 2 is more secure than the legacy version. Add the following line to the config:

Protocol 2

6. Disable TCP and X11 forwarding

Prevent attackers from tunneling other services through SSH:

X11Forwarding no
AllowTcpForwarding no

7. Use SSH key authentication

Generate a key pair with ssh-keygen, keep the private key secure, and place the public key on the server. This eliminates password‑based logins.

ssh-keygen

8. Restrict SSH access by IP

Configure /etc/hosts.allow to allow only trusted IP ranges and deny all others.

After applying the above changes, restart the SSH service to apply the new settings.

Securing SSH is a fundamental part of protecting a Linux server; combined with other hardening measures, it significantly reduces the attack surface.