Hardening SSH Access on Your VPS

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 79 views · 1 min read

Change the Default Port

Edit /etc/ssh/sshd_config:

Port 2222

This reduces automated brute-force attempts significantly, though it is not a security measure on its own.

Disable Root Login

PermitRootLogin no

Create a regular user with sudo access instead:

adduser deploy
usermod -aG sudo deploy

Key-Based Authentication Only

# On your local machine
ssh-keygen -t ed25519 -C "your@email.com"
ssh-copy-id -p 2222 deploy@your-server-ip

# Then disable password auth on the server
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey

Additional Hardening

# Limit login attempts
MaxAuthTries 3
LoginGraceTime 30

# Disable unused features
X11Forwarding no
AllowTcpForwarding no
PermitEmptyPasswords no

# Restrict to specific users
AllowUsers deploy admin

Apply Changes

sudo sshd -t  # Test config before restarting
sudo systemctl restart sshd

Fail2Ban for Brute-Force Protection

sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600

sudo systemctl enable --now fail2ban

Two-Factor Authentication

sudo apt install -y libpam-google-authenticator
google-authenticator

Add to /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Set in sshd_config:

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive