How to Harden Ubuntu 20.04 Server: SSH, Users, Keys, and Firewall

What is the risk?

Anyone who knows the four elements IP address , port , username and password can log into your server. Default settings (IP is public, port 22, user root) expose three of these, leaving security dependent on a single password.

Start hardening work

Example uses Ubuntu 20.04 (Debian is similar, CentOS differs). First update the package index and upgrade installed packages.

apt update

apt upgrade

1. Change the SSH port

Replace the default port 22 with a custom one (e.g., 9876).

Open the SSH configuration file: nano /etc/ssh/sshd_config Search for Port 22 and replace 22 with your chosen port.

Save and exit (Ctrl + O, Enter, Ctrl + X).

Restart the SSH service: sudo service sshd restart Connect next time with the new port:

ssh root@YOUR_SERVER_IP -p 9876

2. Use a strong password

Run passwd to change the root password; the input is hidden for security. It is strongly recommended to generate a complex password with a manager such as 1Password.

3. Create a regular user

Add a new user (example: adduser vpsadmin) and set its password.

Install sudo: apt update && apt install sudo Edit the sudoers file with visudo and add under User Privilege Specification : vpsadmin ALL=(ALL:ALL) ALL (Optionally, vpsadmin ALL=(ALL) NOPASSWD: ALL to skip password prompts, though this is not recommended for security.)

4. Disable root login

Edit /etc/ssh/sshd_config and change PermitRootLogin Yes to PermitRootLogin no.

Restart SSH: sudo service sshd restart.

Future logins must use the new user, e.g., ssh vpsadmin@YOUR_SERVER_IP -p 9876.

5. Enable RSA key authentication and disable password login

Replace password authentication with public‑key authentication.

Generate a key pair on the local machine (Linux/macOS):

# ssh-keygen -t rsa -b 4096 -C "myvps"
ssh-keygen -t rsa -b 4096 -C "myvps"

On the server, create the .ssh directory:

cd ~
mkdir .ssh

Copy the public key to the server:

scp -P 9876 ~/.ssh/id_rsa.pub USERNAME@IP_ADDRESS:/home/USERNAME/.ssh/authorized_keys

Set correct permissions: chmod 600 ~/.ssh/authorized_keys Edit /etc/ssh/sshd_config, change PasswordAuthentication yes to no, then restart SSH. sudo nano /etc/ssh/sshd_config Only machines that possess the private key can now connect.

6. Enable the UFW firewall

Set default policies:

sudo ufw default deny incoming
sudo ufw default allow outgoing

Allow SSH on the custom port: sudo ufw allow 9876/tcp comment 'SSH' Allow HTTP and HTTPS:

sudo ufw allow http
sudo ufw allow https

Enable the firewall: sudo ufw enable Check status: sudo ufw status Optional: delete a rule ( sudo ufw delete 5) or reload configuration ( sudo ufw reload).

7. Disable ping (ICMP echo)

Prevent ping‑based DDoS attacks by editing /etc/ufw/before.rules, locating the echo-request rule and changing its action from ACCEPT to DROP.

These steps provide a solid baseline for protecting a Linux server against common remote attacks.