Beyond Key Authentication
Most guides stop at "disable password auth." Here's what comes next.
Change the Default Port
# /etc/ssh/sshd_config
Port 2222Tip This doesn't add real security against targeted attacks, but eliminates 99% of automated scanning noise from your logs.
Restrict to Specific Users
# Only these users can SSH in
AllowUsers deploy admin
# Or by group
AllowGroups ssh-usersLimit Authentication Attempts
MaxAuthTries 3
MaxSessions 5
LoginGraceTime 30Disable Unused Features
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel noUse Ed25519 Only
# Disable weaker algorithms
PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
HostKeyAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.comFail2Ban Configuration
# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600# Check banned IPs
sudo fail2ban-client status sshd
# Unban an IP
sudo fail2ban-client set sshd unbanip 203.0.113.5Two-Factor Authentication
sudo apt install -y libpam-google-authenticator
# Run as the user who needs 2FA
google-authenticatorAdd to PAM:
# /etc/pam.d/sshd — add at the end
auth required pam_google_authenticator.so
# /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactiveThis requires both an SSH key AND a TOTP code.
Monitoring SSH Access
# Recent successful logins
last -10
# Failed login attempts
grep "Failed password" /var/log/auth.log | tail -20
# Currently logged in users
who
wWarning After changing SSH config, always test in a new terminal while keeping your current session open. If the new config is broken, you can fix it from the existing session.