Securing SSH (Secure Shell) is one of the most important steps for protecting your Linux servers. Since SSH is the default way administrators connect to servers, weak configurations can leave your system vulnerable to brute-force attacks, unauthorized logins, or privilege escalation.
In this guide, we’ll cover:
✅ Why SSH security matters
✅ Step-by-step hardening practices
✅ Configuration examples
✅ Real-world scenarios
SSH runs on port 22 by default → targeted by bots constantly 🌐
Weak passwords = easy brute-force entry 🔑
Misconfigured access may allow root logins ⚠️
Hardening SSH drastically reduces attack surface 🛡️
Before making changes, always update packages:
sudo apt update && sudo apt upgrade -y # Ubuntu/Debian
sudo dnf update -y # Fedora/AlmaLinux/RHEL
Never use root
for daily SSH logins. Create a dedicated user:
sudo adduser back2cloud
sudo usermod -aG wheel back2cloud # On RHEL/AlmaLinux
sudo usermod -aG sudo back2cloud # On Ubuntu/Debian
Edit SSH configuration:
sudo nano /etc/ssh/sshd_config
Find and update:
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
Generate SSH key on your local machine:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Copy the key to server:
ssh-copy-id back2cloud@your_server_ip
Or manually:
cat ~/.ssh/id_rsa.pub | ssh back2cloud@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Then disable password authentication:
PasswordAuthentication no
Bots target port 22
by default. Change it (e.g., 2222
):
Port 2222
Update firewall rules:
sudo ufw allow 2222/tcp # Ubuntu/Debian
sudo firewall-cmd --permanent --add-port=2222/tcp && sudo firewall-cmd --reload # RHEL/Fedora/AlmaLinux
Allow only specific users:
AllowUsers back2cloud
Restrict SSH to internal IPs with firewall rules.
Install Fail2Ban for brute-force protection:
sudo apt install fail2ban -y # Ubuntu/Debian
sudo dnf install fail2ban -y # RHEL/Fedora/AlmaLinux
Logs are stored in:
/var/log/auth.log
(Debian/Ubuntu)
/var/log/secure
(RHEL/Fedora/AlmaLinux)
View failed login attempts:
sudo grep "Failed password" /var/log/auth.log
✔️ Production Server (AlmaLinux) – Disable password login, allow only keys.
✔️ Dev Server (Ubuntu) – Change SSH port, enable Fail2Ban.
✔️ Multi-User Setup – Use AllowUsers
to restrict SSH access.
Securing SSH is a must-do step for every Linux administrator 🚀. By:
Disabling root login,
Using SSH keys,
Changing default ports,
Adding Fail2Ban,
… you can block 90% of common attack vectors.
👉 Always test your configuration before closing your session — otherwise, you may lock yourself out.
With these steps, your Linux servers will be safer, stronger, and ready for production 🛡️.