Harden SSH in 5 Minutes — A Practical Guide
Lock down your SSH server with key auth, port change, and fail2ban in 5 minutes flat.
- Step 1: Switch to Key-Based Auth
- Step 2: Disable Password Auth
- Step 3: Change the Port
- Step 4: Install fail2ban
- Step 5: Limit Access
- Verify
Most servers get brute-forced within hours of going online. Here’s how to lock down SSH in under 5 minutes.
Step 1: Switch to Key-Based Auth
# On your LOCAL machine
ssh-keygen -t ed25519 -C "your-email@example.com"
ssh-copy-id user@your-server
ssh user@your-server
# If no password prompt, you're good
Step 2: Disable Password Auth
sudo nano /etc/ssh/sshd_config
# Change these:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin prohibit-password
sudo systemctl restart sshd
⚠️ Keep your current session open while testing a new connection.
Step 3: Change the Port
# In /etc/ssh/sshd_config
Port 2222
sudo systemctl restart sshd
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
This alone stops 99% of brute-force attempts.
Step 4: Install fail2ban
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Under [sshd]:
# enabled = true
# port = 2222
# maxretry = 3
# bantime = 3600
sudo systemctl enable --now fail2ban
Step 5: Limit Access
# In sshd_config:
AllowUsers your-username
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
Verify
sudo sshd -t
sudo journalctl -u sshd --since '1 hour ago'
sudo fail2ban-client status sshd
5 steps. 5 minutes. Your server just went from “please hack me” to actually secure.
No comments yet.
