Advertisement
linuxserver SSH is the main door to your Linux server—so you must protect it properly. In this guide, beginners will learn how to secure SSH by disabling root login, changing the SSH port, setting up key-based authentication, and preventing brute-force attacks.

How to Secure SSH on a Linux Server (Beginner-Friendly Hardening Guide)

5 Min Read Verified Content
This tutorial is written in a friendly, clear style with detailed steps so even total beginners can follow without fear. Ideal for VPS users, sysadmins, and anyone wanting a safer server.

👉 Securing SSH — the main gateway into your server.

If your SSH is wide open, your server is basically standing on the street with the door unlocked.
Lucky for you, securing SSH isn’t difficult. You just need some guidance — and that’s what this tutorial is for.

Let’s walk through it step by step, in a very beginner-friendly way.

🛠️ Step 1: Update Your System First

Always a good first move:

sudo apt update && sudo apt upgrade -y

This ensures your server has the latest security patches before you touch SSH.



🔑 Step 2: Create a New User (Don’t Use Root!)

Using the root account is dangerous — if someone cracks it, they own your server.

Let’s create a safer, normal user:

sudo adduser adminuser

Give it a password, confirm details.

Now add it to sudo group:

sudo usermod -aG sudo adminuser

This user will replace root for login purposes.



🔐 Step 3: Set Up SSH Key Authentication (More Secure Than Password)

SSH keys are like ultra-strong digital keys.
Even a powerful hacker can't brute-force them easily.

On your local machine (not the server):

ssh-keygen

Press Enter for defaults.

Now move your public key to the server:

ssh-copy-id adminuser@your_server_ip

Or manually:

ssh adminuser@your_server_ip "mkdir -p ~/.ssh"
cat ~/.ssh/id_rsa.pub | ssh adminuser@your_server_ip 'cat >> ~/.ssh/authorized_keys'

Test login:

ssh adminuser@your_server_ip

If it logs in without asking for a password — success!



🚪 Step 4: Disable Root Login

This is one of the most important security steps.

Open your SSH config:

sudo nano /etc/ssh/sshd_config

Find this line:

PermitRootLogin yes

Change to:

PermitRootLogin no

If the line doesn’t exist, add it at the bottom.

Restart SSH:

sudo systemctl restart ssh

Now SSH root login is locked.
Hackers hate this step. Good job.



🧱 Step 5: Change the SSH Port (Optional But Recommended)

Bots constantly scan port 22.
Changing it adds a simple but effective layer of security.

Open SSH config again:

sudo nano /etc/ssh/sshd_config

Find:

Port 22

Change it to something uncommon:

Port 2222

Allow this port in UFW:

sudo ufw allow 2222

Then restart SSH:

sudo systemctl restart ssh

From now on, connect like this:

ssh -p 2222 adminuser@your_server_ip


🧹 Step 6: Disable Password Authentication (Only Keys Allowed)

This completely stops brute-force attacks.

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Find:

PasswordAuthentication yes

Change to:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

Now only SSH keys can log in.
Very strong protection.



🛡️ Step 7: Use Fail2Ban to Ban Attackers

Fail2Ban watches for repeated failed login attempts and blocks attackers automatically.

Install it:

sudo apt install fail2ban -y

Start and enable:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status

To protect SSH even better, create a local jail:

sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
bantime = 1h

Restart Fail2Ban:

sudo systemctl restart fail2ban

Now attackers will be automatically banned.



🧪 Step 8: Test Everything (Very Important!)

Try logging in from another SSH session before closing your active one.

Test:

✔ Login with new user
✔ Key authentication
✔ Custom SSH port
✔ Root login blocked
✔ Password login disabled


If all works — your server is now significantly more secure than before.



🧩 Common Problems and Fixes

❌ Can’t login after changing SSH port?

You forgot to allow the port in UFW:

sudo ufw allow 2222

❌ SSH says “Permission denied (publickey)”?

Make sure the permissions are correct:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

❌ Fail2Ban not banning?

Check logs:

sudo tail -f /var/log/fail2ban.log


🎉 Conclusion

In this tutorial, you learned how to:

✔ Create a safe user
✔ Set up SSH key authentication
✔ Disable root login
✔ Change the SSH port
✔ Disable password login
✔ Use Fail2Ban
✔ Protect your server from brute-force attacks


Securing SSH is one of the best investments you can make in your server’s safety.
Your server is now significantly harder to break into — and you gained real sysadmin skills.


Advertisement
Back to Linuxserver