Skip to main content
Zeyrie’s Blog
  1. Posts/

SSH Security Hardening

·672 words·4 mins
Server Tutorial Ssh Security
Table of Contents
Secure Shell Protocol is a cryptographic network protocol for secure communication between networked services. Most commonly used to remote login.

Creating SSH Key Pairs
#

On the local computer, create SSH Keys. Generally SSH keys are 2048 bits by default and are generally consider secure enough. But we can harden the key even further. Most servers accept keys with a minimum length of 4096 bits.

# Generate a strong SSH key pair
ssh-keygen -t rsa -b 4096 -C "[email protected]"

# You'll be prompted:
# Enter file in which to save the key: (Press Enter for default)
# Enter passphrase: (Use a strong passphrase!)
# Enter same passphrase again: (Confirm it)

This creates two files:

  • $HOME/.ssh/id_rsa is the private key; never share this!
  • $HOME/.ssh/id_rsa.pub is the public key; safe to share

Copy the Public Key to the Server:


# Method 1:
ssh-copy-id username@server_ip

# Method 2:

cat $HOME/.ssh/id_rsa.pub

#Copy the output, then on your server
mkdir $HOME/.ssh

echo "PUBLIC_KEY_HERE" >> $HOME/.ssh/authorized_keys

chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys

After completing these steps you can login to the server by:

ssh -p ssh-port 'username@server-ip-address'

If you have set an passphrase for the ssh key, then enter that when prompted.

On encountering any problems while connecting to a server through SSH, use the verbose flag -v in the command as shown below to get more insight on connection.


ssh -v -p ssh-port 'username@server-id-address'

Creating a Backup admin User
#

In times of emergency, it is better to have a backup user to login to the server.


# Create backup user
sudo useradd admin
sudo usermod -aG wheel admin # substitute wheel with sudo in distro's like Ubuntu

# Copy SSH keys to backup user
sudo mkdir -p /home/admin/.ssh
sudo cp ~/.ssh/authorized_keys /home/admin/.ssh/
sudo chown -R admin:admin /home/admin/.ssh
sudo chmod 700 /home/admin/.ssh
sudo chmod 600 /home/admin/.ssh/authorized_keys
Code Snippet 1: Add backup user while sharing the same ssh_keys

Hardening SSH Configuration on Server
#

SSH can be configured by editing /etc/ssh/sshd_config.

  • First, change the default port of SSH (security through obscurity). It is better to change the SSH port to a value between 1024 and 65535. And avoid port below 1024 as they are reserved for other services.

    # default port number will be 22
Port port_number

  • Disable root login. It is always better to avoid providing access to root login via SSH.

    PermitRootLogin no

  • Disable password authentication. Since we have configured the ssh-key. Turn off the password authentication unless it is really required for your usecase.

    PasswordAuthentication no
PubkeyAuthentication yes

  • Allow only selective users.

    AllowUsers yourusername

  • Reduce login attempts & idle connection time. Limiting the login attempts can help in increasing the time to brute force via SSH.

    MaxAuthTries 3
MaxSessions 2

ClientAliveInterval 300
ClientAliveCountMax 2

  • Disable empty passwords.

    PermitEmptyPasswords no

  • Allow only key based authentication

    AuthenticationMethods publickey

Once the /etc/ssh/sshd_config has been edited test the config file. Then restart the sshd service for the SSH to take effect.

sudo sshd -t

sudo systemctl restart ssh

sudo systemctl status ssh

Test Before Locking Yourself Out! Try this in a new terminal window:


ssh -p port_id username@your_server_ip

Advanced SSH Security
#

  • Restrict SSH by IP (If you have an static IP address): Edit the /etc/ssh/sshd_config file.

    AllowUsers yourusername@your_ip_address

  • Disable SSH for Root user completely:

    # Lock the root account
sudo passwd -l root

# Check it's locked
sudo passwd -S root
# Should show: root L (locked)

Recovery Plan (If Locked Out)
#

If you get locked out, then:

  • Use hosting provider’s console (VNC/Serial console)
  • Boot from rescue mode if available
  • Mount filesystem and fix /etc/ssh/sshd_config
  • Re-enable password auth temporarily:
PasswordAuthentication yes
sudo systemctl restart ssh
Code Snippet 2: In /etc/ssh/sshd_config

Prevention
#

  • Always test in a new terminal before closing existing connections
  • Keep a console session open during SSH changes
  • Document your SSH configuration

Conclusion
#

There are still other measures that could be taken to increase the security of SSH which could be seen in the /etc/ssh/sshd_config, as well as configuring a config for SSH in local machine, adding two factor authentication, adding additional security layers.

Reply by Email
Abilash S
Author
Abilash S
Software engineer passionate about clean code, productivity systems, and knowledge management. I write about development practices, tool discoveries, and the intersection of technology and organized thinking. When not coding, you’ll find me tinkering with Emacs configurations or exploring new ways to capture and connect ideas.

Related

Privacy Policy
This website uses Umami to capture anonymized metrics about the page views it receives. Umami is an open-source, privacy-focused analytics service which strives to provide helpful metrics without capturing any personally-identifiable information about visitors. Umami Analytics is hosted in a private server, hence it is not available to any corporations or third-party actors.
Foundation Model Group Session Notes
··184 words·1 min
IOS Wwdc
Short notes on the Foundation Model Group session of WWDC25. Notes include some tips and other informations related to the Model and its limitations.
SwiftUI Group Session Notes
··641 words·4 mins
IOS Wwdc
Short notes on the SwiftUI Group session of WWDC25. Advices for SwiftUI adaption, Anti-patters in SwiftUI followed by developers, debug techniques
UI Frameworks Group Session Notes
··956 words·5 mins
IOS Wwdc
Short notes on the UI Frameworks Group session of WWDC25. Q&A on the new design system, including questions on accessibility, advices on adapting the new design, support for older platform targets