SSH Hardening Best Practices

By Admin · Feb 25, 2026 · Updated Apr 24, 2026 · 27 views · 1 min read

Why Harden SSH?

SSH is the primary remote access method for Linux servers. Attackers constantly scan for SSH servers and attempt brute-force logins. Proper hardening dramatically reduces your attack surface.

Use Key-Based Authentication

# Generate an Ed25519 key (on your local machine)
ssh-keygen -t ed25519 -C "your@email.com"

# Copy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip

Disable Password Authentication

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password
ChallengeResponseAuthentication no

Change Default Port

Port 2222

This reduces automated scanning noise significantly.

Additional Hardening

# Limit login attempts
MaxAuthTries 3

# Disable empty passwords
PermitEmptyPasswords no

# Set idle timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0

# Restrict to specific users
AllowUsers deploy admin

# Disable X11 forwarding
X11Forwarding no

# Use strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org

Apply Changes

sudo sshd -t  # Test configuration
sudo systemctl restart sshd

Important: Always keep an existing SSH session open while testing new settings. If you lock yourself out, you will need console access to fix it.