Install and enable the SSH server using package managers like apt or dnf, then start and verify the service. 2. Harden SSH configuration by changing the default port to 2222, disabling root login with PermitRootLogin no, allowing specific users via AllowUsers, disabling password authentication in favor of SSH keys, generating and copying ed25519 key pairs, limiting authentication attempts with MaxAuthTries 3 and login time with LoginGraceTime 30, and disabling unused authentication methods. 3. Install and configure Fail2Ban by creating a jail.local file, enabling SSH protection on port 2222, setting maxretry to 3 and bantime to 3600, then starting and enabling the service. 4. Further secure the system by keeping it updated with regular patches, configuring firewalls like ufw to allow only port 2222, disabling outdated SSH protocols and ciphers by specifying secure KexAlgorithms, Ciphers, and MACs, and monitoring logs in /var/log/auth.log for suspicious activity. A secure SSH setup requires multiple layers including port changes, disabled root and password logins, key-based authentication, Fail2Ban protection, and system updates, all of which significantly reduce the risk of unauthorized access compared to default configurations.
Setting up a secure SSH server on Linux is essential for safely managing remote systems. While SSH is secure by default in many ways, a few key configuration changes can greatly reduce the risk of unauthorized access. Here’s how to do it right.
1. Install and Enable the SSH Server
Most Linux distributions come with OpenSSH, but it may not be installed or enabled by default.
On Debian/Ubuntu:
sudo apt update sudo apt install openssh-server sudo systemctl enable ssh sudo systemctl start ssh
On RHEL/CentOS/Fedora:
sudo dnf install openssh-server sudo systemctl enable sshd sudo systemctl start sshd
Verify it's running:
sudo systemctl status ssh
2. Harden the SSH Configuration
The main SSH config file is located at /etc/ssh/sshd_config. Always back it up before editing:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sudo nano /etc/ssh/sshd_config
Make the following changes:
Change the default port
Using a non-standard port (e.g., 2222) reduces automated bot attacks:Port 2222
Note: Update your firewall and SELinux (if enabled) to allow the new port.
Disable root login
Prevent direct root access to limit damage from brute-force attacks:PermitRootLogin no
Allow only specific users
Restrict SSH access to trusted users:AllowUsers yourusername
You can also use
AllowGroupsif managing via group membership.Disable password authentication (use SSH keys only)
This is one of the most effective security improvements:PasswordAuthentication no
Make sure you’ve set up SSH keys before enabling this.
Use key-based authentication
Generate a key pair on your local machine:ssh-keygen -t ed25519
Copy the public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip -p 2222
Limit authentication attempts and login time
MaxAuthTries 3 LoginGraceTime 30
Disable unused authentication methods
PubkeyAuthentication yes ChallengeResponseAuthentication no UsePAM no
After changes, restart SSH:
sudo systemctl restart ssh
?? Test your connection in a second terminal before closing your current session!
3. Use Fail2Ban to Block Brute-Force Attacks
Fail2Ban monitors log files and blocks IPs showing malicious behavior.
Install Fail2Ban:
sudo apt install fail2ban # Debian/Ubuntu sudo dnf install fail2ban # Fedora/RHEL
Create a custom config file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
Enable SSH protection and adjust settings:
[sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3600
Start and enable Fail2Ban:
sudo systemctl enable fail2ban sudo systemctl start fail2ban
4. Harden the System Further
Keep the system updated
Regularly apply security patches:sudo apt upgrade # Debian/Ubuntu sudo dnf update # Fedora/RHEL
Use a firewall
Configureufworfirewalldto allow only necessary ports.Example with
ufw:sudo ufw allow 2222 sudo ufw enable
Disable unused SSH protocols and ciphers
In/etc/ssh/sshd_config, explicitly set modern, secure options:KexAlgorithms curve25519-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com
Monitor logs regularly
Check/var/log/auth.log(or/var/log/secureon RHEL) for suspicious login attempts.
Secure SSH setup isn’t about one magic setting—it’s layers. Change the port, disable root and password login, use SSH keys, install Fail2Ban, and keep the system updated. Most attacks target default configurations, so even small changes make a big difference.
Basically, if you're using SSH keys, blocking root login, and have Fail2Ban running, you’re already far ahead of most servers exposed to the internet.
The above is the detailed content of How to Set Up a Secure SSH Server on Linux. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux
Jul 05, 2025 am 09:25 AM
LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support
Clear Linux Distro - Optimized for Performance and Security
Jul 02, 2025 am 09:49 AM
Clear Linux OS is the ideal operating system for people – ahem system admins – who want to have a minimal, secure, and reliable Linux distribution. It is optimized for the Intel architecture, which means that running Clear Linux OS on AMD sys
How to create a self-signed SSL certificate using OpenSSL?
Jul 03, 2025 am 12:30 AM
The key steps for creating a self-signed SSL certificate are as follows: 1. Generate the private key, use the command opensslgenrsa-outselfsigned.key2048 to generate a 2048-bit RSA private key file, optional parameter -aes256 to achieve password protection; 2. Create a certificate request (CSR), run opensslreq-new-keyselfsigned.key-outselfsigned.csr and fill in the relevant information, especially the "CommonName" field; 3. Generate the certificate by self-signed, and use opensslx509-req-days365-inselfsigned.csr-signk
7 Ways to Speed Up Firefox Browser in Linux Desktop
Jul 04, 2025 am 09:18 AM
Firefox browser is the default browser for most modern Linux distributions such as Ubuntu, Mint, and Fedora. Initially, its performance might be impressive, however, with the passage of time, you might notice that your browser is not as fast and resp
How to extract a .tar.gz or .zip file?
Jul 02, 2025 am 12:52 AM
Decompress the .zip file on Windows, you can right-click to select "Extract All", while the .tar.gz file needs to use tools such as 7-Zip or WinRAR; on macOS and Linux, the .zip file can be double-clicked or unzip commanded, and the .tar.gz file can be decompressed by tar command or double-clicked directly. The specific steps are: 1. Windows processing.zip file: right-click → "Extract All"; 2. Windows processing.tar.gz file: Install third-party tools → right-click to decompress; 3. macOS/Linux processing.zip file: double-click or run unzipfilename.zip; 4. macOS/Linux processing.tar
How to troubleshoot DNS issues on a Linux machine?
Jul 07, 2025 am 12:35 AM
When encountering DNS problems, first check the /etc/resolv.conf file to see if the correct nameserver is configured; secondly, you can manually add public DNS such as 8.8.8.8 for testing; then use nslookup and dig commands to verify whether DNS resolution is normal. If these tools are not installed, you can first install the dnsutils or bind-utils package; then check the systemd-resolved service status and configuration file /etc/systemd/resolved.conf, and set DNS and FallbackDNS as needed and restart the service; finally check the network interface status and firewall rules, confirm that port 53 is not
Install Guacamole for Remote Linux/Windows Access in Ubuntu
Jul 08, 2025 am 09:58 AM
As a system administrator, you may find yourself (today or in the future) working in an environment where Windows and Linux coexist. It is no secret that some big companies prefer (or have to) run some of their production services in Windows boxes an
How would you debug a server that is slow or has high memory usage?
Jul 06, 2025 am 12:02 AM
If you find that the server is running slowly or the memory usage is too high, you should check the cause before operating. First, you need to check the system resource usage, use top, htop, free-h, iostat, ss-antp and other commands to check CPU, memory, disk I/O and network connections; secondly, analyze specific process problems, and track the behavior of high-occupancy processes through tools such as ps, jstack, strace; then check logs and monitoring data, view OOM records, exception requests, slow queries and other clues; finally, targeted processing is carried out based on common reasons such as memory leaks, connection pool exhaustion, cache failure storms, and timing task conflicts, optimize code logic, set up a timeout retry mechanism, add current limit fuses, and regularly pressure measurement and evaluation resources.
