Secure Your Linux Server: 8 Essential SSH Hardening Steps

Why Secure SSH?

SSH is a widely used protocol for securely accessing Linux servers, but its default configuration can expose serious security risks, especially when root login is allowed over a public IP address.

1. Disable Root Login

Create a new user with sudo privileges and prevent root from logging in via SSH.

useradd -m exampleroot
passwd exampleroot
usermod -aG sudo exampleroot

Then edit /etc/ssh/sshd_config:

#Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers exampleroot

Restart the SSH service:

sudo systemctl restart ssh

2. Change the Default Port

Modify the SSH listening port to make automated attacks harder. Port 22099 After editing /etc/ssh/sshd_config, restart SSH:

sudo systemctl restart ssh

3. Disallow Empty Passwords

Prevent users without passwords from logging in.

PermitEmptyPasswords no

4. Limit Login Attempts

Set a maximum number of authentication attempts to mitigate brute‑force attacks.

MaxAuthTries 3

5. Use SSH Protocol 2

Enable the more secure SSH protocol version.

Protocol 2

6. Disable TCP and X11 Forwarding

Turn off port forwarding and X11 forwarding to reduce attack surface.

X11Forwarding no
AllowTcpForwarding no

7. Use SSH Key Authentication

Generate a key pair and configure the server to accept only key‑based logins. ssh-keygen Upload the public key to ~/.ssh/authorized_keys on the server and optionally disable password authentication in sshd_config.

8. Restrict SSH Access by IP

Use /etc/hosts.allow (or firewall rules) to allow only trusted IP ranges and deny all others.

# Example entry in hosts.allow
sshd: 192.168.1.0/24 : allow
sshd: ALL : deny

After making changes, restart the SSH service to apply them.