SSH Server Hardening Best Practices

The Secure Shell (SSH) protocol is a cornerstone of modern system administration, providing encrypted channels for remote management and data transfer. However, its widespread use also makes it a prime target for malicious actors. A default SSH configuration is often insufficient to protect against determined attackers. Implementing robust hardening measures is essential to safeguard your servers and the data they hold.

This guide provides a comprehensive list of best practices for hardening your SSH server, complete with practical examples to help you fortify your systems.

1. Use SSH Keys Instead of Passwords

Password-based authentication is susceptible to brute-force attacks, where an attacker systematically tries thousands of password combinations. SSH keys offer a much more secure alternative. They are a cryptographic key pair—a private key that you keep secret and a public key that you place on the server.

To disable password authentication, you need to edit your SSH daemon configuration file, typically located at /etc/ssh/sshd_config.

First, ensure you have successfully set up and tested SSH key authentication. Once confirmed, open the configuration file with a text editor:

sudo nano /etc/ssh/sshd_config

Find the following lines and modify them as shown:

PasswordAuthentication no
ChallengeResponseAuthentication no

This change tells the SSH server not to allow any form of password-based login. After saving the file, you must restart the SSH service for the changes to take effect.

# For systems using systemd (e.g., Ubuntu, CentOS 7+)
sudo systemctl restart sshd

# For older systems using init
sudo service ssh restart

2. Disable Root Login

Allowing direct root login over SSH is extremely risky. If an attacker gains access, they have immediate, unrestricted control over the entire system. A better practice is to log in as a standard user and then elevate privileges using sudo when necessary. This approach also improves accountability, as actions are logged against a specific user account.

To disable root login, edit the sshd_config file:

sudo nano /etc/ssh/sshd_config

Find the PermitRootLogin directive and set its value to no:

PermitRootLogin no

Save the file and restart the SSH service to apply the change.

3. Change the Default SSH Port

By default, SSH listens on port 22. This is a well-known port that automated bots and attackers constantly scan. While changing the port is not a complete security solution (a practice known as “security through obscurity”), it effectively reduces the noise from automated scans and adds a simple layer of protection.

Choose an unused port number, typically above 1024. For this example, we’ll use port 2222.

Edit the sshd_config file:

sudo nano /etc/ssh/sshd_config

Find the line #Port 22 and change it to:

Port 2222

Before you restart the SSH service, you must inform your system’s firewall to allow traffic on the new port.

For systems using UFW (Uncomplicated Firewall):

sudo ufw allow 2222/tcp

For systems using firewalld (common on RHEL/CentOS):

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

If you are using SELinux, you may also need to update its policy to allow SSH to run on the new port:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Now, restart the SSH service. When you connect next, you will need to specify the new port:

ssh user@your_server_ip -p 2222

Important: Always ensure the new port is open in your firewall before restarting the SSH service to avoid locking yourself out.

4. Limit User Access

Not every user on a server needs SSH access. You can restrict which users or groups are allowed to connect by using the AllowUsers or AllowGroups directives. This principle of least privilege ensures that only authorized personnel can gain remote access.

To allow only specific users, add the following line to your sshd_config file, replacing user1 and user2 with actual usernames:

AllowUsers user1 user2

Alternatively, you can manage access by group:

AllowGroups sshusers

In this case, only users who are members of the sshusers group can log in. Remember to restart the SSH service after making changes.

5. Implement Fail2Ban

Fail2Ban is a utility that monitors log files for malicious activity, such as repeated failed login attempts, and temporarily bans the offending IP addresses using firewall rules. It is an effective tool for mitigating brute-force attacks.

First, install Fail2Ban.

On Debian/Ubuntu:

sudo apt-get update
sudo apt-get install fail2ban

On CentOS/RHEL:

sudo yum install epel-release
sudo yum install fail2ban

Once installed, Fail2Ban automatically starts monitoring SSH logs. For custom configuration, create a local copy of the configuration file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now, you can edit jail.local to customize settings like ban time (bantime) and the number of failed attempts before a ban (maxretry).

6. Use a Strong Cipher and MAC Configuration

SSH uses ciphers for encryption and Message Authentication Codes (MACs) for integrity. Over time, some algorithms can become weak. You can strengthen your server’s security by specifying a list of modern, robust ciphers and MACs.

Add the following lines to your /etc/ssh/sshd_config file to prioritize strong algorithms. This is an example configuration; you should research the latest recommended ciphers for your environment.

# Key Exchange Algorithms
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

# Ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

After adding these lines, restart the SSH service.

7. Keep Your SSH Server Updated

Finally, one of the most critical security practices is to keep your software updated. Vulnerabilities are regularly discovered in software, including SSH. Applying security patches promptly ensures you are protected against known exploits.

Use your system’s package manager to regularly update your system.

On Debian/Ubuntu:

sudo apt-get update && sudo apt-get upgrade

On CentOS/RHEL:

sudo yum update

By consistently applying these hardening techniques, you can significantly improve the security posture of your SSH server, turning it from a potential liability into a fortified access point for secure system administration.