SSH Server Hardening Tips

Below are the security recommendations for SSH hardening the servers hosted in the public cloud.

1) Do not enable root user login for SSH client access.

PermitRootLogin no

   Most of the malware infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script.
2) Do not enable the password authentication.

PasswordAuthentication no

There are high chances for cracking any level of strong passwords using the brute force attack.
3) Trust the ssh keypair authentication.

RSAAuthentication yes
PubkeyAuthentication yes

Using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks and nearly impossible for anyone to hack the key-pair.

Caution: NSA would already have their own algorithm to hack any kind of SSH keys 🙂

4) Don’t forget Fail2ban

apt-get install fail2ban

Fail2ban scans log files and bans IPs that show the malicious signs or too many password failures.


5) Strong Passwords

be?a#espa!UWEtH2      <-- Sample 16bit password.

Use the below link to generate strong passwords
Caution: Don’t forget to memorise 🙂 or you could save in your local system.


6) Different Port number (optional)

port 22

You may consider running ssh service in the different port number other than 22. But make sure no other service port will conflict with the port number you have chosen for ssh service.


Thanks & Regards,

Vinoth Kumar Selvaraj

Leave a Comment