BestHub
Sign in
Information Security 8 min read

Secure Your Linux SSH: 8 Essential Hardening Steps

This guide walks through eight essential steps to harden SSH on Linux servers, including disabling root login, changing the default port, restricting password usage, limiting authentication attempts, enforcing protocol 2, disabling forwarding, using key-based authentication, and applying IP-based access controls.

Programmer DD
Programmer DD
Programmer DD
Secure Your Linux SSH: 8 Essential Hardening Steps

1. Disable root login

First, disable SSH access for the root user and create a new user with sudo privileges. For example, create a user named exampleroot :

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Explanation of the commands:

useradd creates a new user and the -m option creates a home directory.

passwd sets a strong password for the new user.

usermod -aG sudo adds the user to the sudo group.

After creating the user, edit the sshd_config file (usually located at /etc/ssh/sshd_config) and add:

# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers exampleroot

The PermitRootLogin line blocks root SSH access, while the AllowUsers line grants SSH rights to exampleroot .

Restart the SSH service:

sudo systemctl restart ssh

2. Change the default port

The default SSH port (22) is well‑known to attackers. Change it by editing /etc/ssh/sshd_config and adding a new port number, e.g., 22099:

Port 22099

After saving the file, restart SSH and adjust firewall rules accordingly. Verify the new port with netstat -tlpn.

3. Disallow empty passwords

Prevent users without passwords from logging in by setting PermitEmptyPasswords to no in sshd_config:

PermitEmptyPasswords no

4. Limit authentication attempts

Reduce brute‑force risk by limiting the number of password attempts. Set MaxAuthTries in sshd_config:

MaxAuthTries 3

5. Enforce SSH protocol 2

Enable the more secure protocol by adding:

Protocol 2

6. Disable TCP and X11 forwarding

Prevent port‑forwarding attacks by disabling these options in sshd_config:

AllowTcpForwarding no
X11Forwarding no

7. Use SSH key authentication

Generate a key pair with ssh-keygen, keep the private key secure, and copy the public key to the server. Optionally, disable password authentication entirely in sshd_config.

ssh-keygen

8. Restrict SSH access by IP

Edit /etc/hosts.allow to permit only trusted IP ranges or specific addresses, then restart the SSH service.

Importance of Linux server security

Server administrators must prioritize data protection, as Linux servers often host critical web services. Securing SSH is one essential layer; combined with firewalls, regular updates, and monitoring, it helps mitigate attacks and safeguard sensitive information.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ConfigurationLinuxSecurityServer
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment