Secure Your Linux Server: 8 Essential SSH Hardening Steps

SSH is a widely used protocol for securely accessing Linux servers, but default settings can expose security risks.

Servers with open SSH root access are vulnerable, especially when reachable via a public IP, so strengthening SSH is essential.

1. Disable root login

Create a new user with sudo privileges and disable root SSH access.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit /etc/ssh/sshd_config to include:

#Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers exampleroot

Restart the SSH service:

sudo systemctl restart ssh

2. Change the default port

Modify /etc/ssh/sshd_config to use a non‑standard port, e.g., 22099. Port 22099 Restart SSH and adjust firewall rules accordingly.

3. Disallow empty passwords

Set PermitEmptyPasswords no in sshd_config to block users without passwords.

4. Limit login attempts

Configure MaxAuthTries 3 to terminate connections after three failed attempts.

5. Use SSH protocol version 2

Enable the more secure protocol by adding:

Protocol 2

6. Disable TCP and X11 forwarding

Prevent port and X11 forwarding attacks by setting:

X11Forwarding no
AllowTcpForwarding no

7. Use SSH key authentication

Generate a key pair with ssh-keygen, place the public key on the server, and optionally disable password authentication.

ssh-keygen

8. Restrict SSH access by IP

Edit /etc/hosts.allow to allow specific IP ranges or addresses and deny all others.