How to Harden SSH on Linux: 8 Essential Security Tweaks

1. Disable root login

Create a non‑root user with sudo privileges and modify /etc/ssh/sshd_config to block root SSH access.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit sshd_config (usually located at /etc/ssh/sshd_config) and set:

#Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers exampleroot

Restart the SSH service: sudo systemctl restart ssh If the command fails, try:

sudo systemctl restart sshd

2. Change the default port

The default SSH port (22) is well‑known to attackers. Change it to a non‑standard port, e.g., 22099.

Include /etc/ssh/sshd_config.d/*.conf
Port 22099

Restart SSH again and adjust any firewall rules accordingly.

3. Disallow empty passwords

Prevent users without passwords from logging in by setting:

PermitEmptyPasswords no

4. Limit authentication attempts

Reduce the risk of brute‑force attacks by limiting password tries:

MaxAuthTries 3

5. Enforce SSH protocol version 2

Disable the insecure protocol 1 by adding:

Include /etc/ssh/sshd_config.d/*.conf
Protocol 2

6. Disable TCP and X11 forwarding

Prevent attackers from tunneling through SSH by turning off forwarding features:

X11Forwarding no
AllowTcpForwarding no

7. Use SSH key authentication

Generate a public/private key pair on the client machine and disable password logins if desired. ssh-keygen The public key is placed in ~/.ssh/authorized_keys on the server, while the private key remains on the client.

8. Restrict SSH access by IP

Configure /etc/hosts.allow (or firewall rules) to permit only trusted IP ranges and deny all others. After editing, restart the SSH service to apply changes.