Securing SSH: Your Server's First Line of Defence

Why SSH Is Your Top Priority

Having managed servers for over a decade, I've seen thousands — yes, thousands per day — of intrusion attempts. SSH is by far the most frequently targeted service. Bots scan the network 24/7, looking for the smallest vulnerability. If you leave the default configuration in place, it's not a question of 'if' someone will break in, but 'when'. My experience with brute-force attacks has taught me one thing: a passive approach is asking for trouble. I remember the night one of my first servers was generating gigabytes of logs simply because I'd forgotten the basic rules. Never again.

key 1. SSH Keys Instead of Passwords: The "Holy Grail" of Security

Passwords are weak. People use weak passwords, and bots have infinite patience. Disabling password authentication and switching to RSA keys (minimum 4096 bits) or Ed25519 is the only way. This eliminates 99% of automated attacks.

settings_ethernet 2. Changing the Default Port 22

I often hear: "Security by obscurity is no security." True. But changing port 22 to, say, 2222 or another high port dramatically cleans up your logs. Instead of 5,000 login attempts per hour, you'll have zero. This helps you identify real threats from the background noise.

person_off 3. Disabling Root Login

Never, under any circumstances, allow direct login to the root account. Use a regular user with sudo privileges. This is an additional layer that an attacker must break through.

# Basic, secure SSH configuration
Port 2222
Protocol 2
PermitRootLogin no
MaxAuthTries 3
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
AllowUsers your_user

shield 4. Fail2Ban: Your Automated Guardian

Configuration is not everything. You need active defence. Fail2Ban monitors logs in real time and bans IP addresses after several failed attempts. It's like hiring a bouncer who throws out anyone who tries to pick the lock.