The SSH Hardening Checklist We Apply to Every Server
SSH is the front door to your server, which makes it the most probed and brute-forced service you run. The good news: a handful of changes shuts the door on the overwhelming majority of attacks. Here’s the checklist we apply to every box.
1. Use keys, not passwords
Password authentication is brute-forceable. Key-based authentication isn’t, in any practical sense. Once keys are in place, disable passwords entirely in /etc/ssh/sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin prohibit-password2. Don’t log in as root
Create a normal user with sudo and disable direct root login. It gives you an audit trail and removes the single most valuable target attackers go after.
3. Limit who can connect
- Restrict access with
AllowUsersorAllowGroups - Firewall SSH to known IPs where practical
- Consider a VPN or bastion host for sensitive infrastructure
4. Add Fail2ban
Fail2ban watches your logs and temporarily bans IPs that fail to authenticate repeatedly. It won’t stop a determined, targeted attacker, but it makes opportunistic brute-forcing pointless.
5. Keep it patched and watch it
Hardening is a state, not a one-off task. Apply security updates promptly and monitor authentication logs so a change in attack patterns doesn’t go unnoticed.
None of this is exotic — it’s basic hygiene. But you’d be amazed how many production servers we audit that still allow root logins with a password. Don’t be one of them.
Need this handled for you?
Server Wizards looks after Linux infrastructure so you don’t have to — proactively, and around the clock.
Need a hand with your servers?
We manage, secure and monitor Linux infrastructure so you don't have to.