This guide walks through practical SSH hardening steps that stop attackers from taking control of a server. It starts by disabling root login, tightening ciphers and MACs, and turning off password authentication to force key‑based access. The instructions then add idle timeouts, lower maximum authentication attempts, and install Fail2Ban to block brute‑force IPs. Finally, it reminds admins to keep OpenSSH up to date and shares a real example of a hardened host surviving aggressive scans without compromise.

SSH Configuration Hardening: Lock Down Your Remote Access

If you’ve ever logged into a server over SSH and wondered why the default setup feels like an open invitation, this guide will give you practical tweaks that actually stop attackers in their tracks. We’ll cover the most common misconfigurations, show how to fix them, and explain exactly why each change matters.

Limit Root Login

1. Open /etc/ssh/sshd_config with your favorite editor.
2. Find or add PermitRootLogin no.
3. Restart SSH: systemctl restart sshd.

Leaving root accessible is the quickest way for a brute‑force attacker to gain full control. Even if you use key authentication, a compromised key still grants unlimited power when root login is allowed.

Enforce Strong Ciphers and MACs

1. In sshd_config, set:

   KexAlgorithms curve25519-sha256@libssh.org,dh-gost-521
   Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

2. Restart SSH.

Older algorithms like RSA and DES are vulnerable or too slow. Modern ciphers use authenticated encryption, making it impossible to tamper with traffic without detection.

Disable Password Authentication

1. In sshd_config, change:

   PasswordAuthentication no

2. Ensure you have at least one working public key for each allowed user.
3. Restart SSH.

Passwords are the weak link. Even a well‑chosen password can be cracked with GPU farms in minutes. Relying solely on keys forces an attacker to steal or guess the key material instead of just guessing a password.

Set Idle Timeout and MaxAuthTries

1. Add or update:

   ClientAliveInterval 300
   ClientAliveCountMax 0
   MaxAuthTries 3

2. Restart SSH.

ClientAlive kills stale connections that could be hijacked if the network is compromised. Lowering MaxAuthTries limits how many bad attempts a brute‑force bot can make before being throttled or blocked.

Use Fail2Ban or Similar

1. Install Fail2Ban: apt install fail2ban.
2. Create /etc/fail2ban/jail.local with:

   [sshd]
   enabled = true
   port    = ssh
   filter  = sshd
   logpath = /var/log/auth.log
   maxretry = 3
   bantime  = 86400

3. Restart Fail2Ban.

Even with strict settings, attackers sometimes try many usernames or keys. Fail2Ban watches the logs and bans IPs that cross a threshold, turning the server into a more resilient fortress.

Keep Your SSH Daemon Updated

Run your distro’s update system regularly—apt upgrade, yum update, etc.—and watch for security bulletins from OpenSSH. The latest patches often close newly discovered vulnerabilities.

I’ve seen servers get taken over simply because they still allowed root login with a password. After patching those settings, the same host survived a week of aggressive scans without a single unauthorized session. That’s the power of proper hardening: it turns “easy access” into real protection.

Hope this helps you lock down your SSH like a vault—stay secure!