Securing SSH (Secure Shell) is one of the most important steps for protecting your Linux servers. Since SSH is the default way administrators connect to servers, weak configurations can leave your system vulnerable to brute-force attacks, unauthorized logins, or privilege escalation.

In this guide, we’ll cover:
✅ Why SSH security matters
✅ Step-by-step hardening practices
✅ Configuration examples
✅ Real-world scenarios

💡 Why Secure SSH?

• SSH runs on port 22 by default → targeted by bots constantly 🌐

• Weak passwords = easy brute-force entry 🔑

• Misconfigured access may allow root logins ⚠️

• Hardening SSH drastically reduces attack surface 🛡️

🔹 Step 1: Update Your Server 🛠️

Before making changes, always update packages:

sudo apt update && sudo apt upgrade -y   # Ubuntu/Debian
sudo dnf update -y                       # Fedora/AlmaLinux/RHEL

🔹 Step 2: Create a New User 👤

Never use root for daily SSH logins. Create a dedicated user:

sudo adduser back2cloud
sudo usermod -aG wheel back2cloud   # On RHEL/AlmaLinux
sudo usermod -aG sudo back2cloud    # On Ubuntu/Debian

🔹 Step 3: Disable Root Login ❌

Edit SSH configuration:

sudo nano /etc/ssh/sshd_config

Find and update:

PermitRootLogin no

Restart SSH:

sudo systemctl restart sshd

🔹 Step 4: Use Key-Based Authentication 🔑

Generate SSH key on your local machine:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Copy the key to server:

ssh-copy-id back2cloud@your_server_ip

Or manually:

cat ~/.ssh/id_rsa.pub | ssh back2cloud@your_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Then disable password authentication:

PasswordAuthentication no

🔹 Step 5: Change Default Port 🎯

Bots target port 22 by default. Change it (e.g., 2222):

Port 2222

Update firewall rules:

sudo ufw allow 2222/tcp     # Ubuntu/Debian
sudo firewall-cmd --permanent --add-port=2222/tcp && sudo firewall-cmd --reload  # RHEL/Fedora/AlmaLinux

🔹 Step 6: Limit Access 🚪

• Allow only specific users:

  AllowUsers back2cloud
  

• Restrict SSH to internal IPs with firewall rules.

• Install Fail2Ban for brute-force protection:

  sudo apt install fail2ban -y    # Ubuntu/Debian
  sudo dnf install fail2ban -y    # RHEL/Fedora/AlmaLinux
  

🔹 Step 7: Monitor SSH Logs 📊

Logs are stored in:

• /var/log/auth.log (Debian/Ubuntu)

• /var/log/secure (RHEL/Fedora/AlmaLinux)

View failed login attempts:

sudo grep "Failed password" /var/log/auth.log

🧪 Real-World Examples

✔️ Production Server (AlmaLinux) – Disable password login, allow only keys.
✔️ Dev Server (Ubuntu) – Change SSH port, enable Fail2Ban.
✔️ Multi-User Setup – Use AllowUsers to restrict SSH access.

✅ Conclusion

Securing SSH is a must-do step for every Linux administrator 🚀. By:

• Disabling root login,

• Using SSH keys,

• Changing default ports,

• Adding Fail2Ban,

… you can block 90% of common attack vectors.

👉 Always test your configuration before closing your session — otherwise, you may lock yourself out.

With these steps, your Linux servers will be safer, stronger, and ready for production 🛡️.