Advertisement
linuxserver Learn how to secure SSH access on your Linux server using simple best practices like disabling root login, changing ports, using SSH keys, and configuring fail2ban. A practical and beginner-friendly guide.

How to Secure SSH on a Linux Server (Simple but Important Security Steps)

5 Min Read Verified Content

If your Linux server is exposed to the internet, then SSH is basically the “front door” to your machine. And just like any real door, you don’t want it left unlocked — especially when bots and scanners are constantly trying passwords.

When I first started managing servers, I thought,
“Eh, who would bother attacking my tiny VPS?”

Then one day I checked /var/log/auth.log and almost fell off my chair — thousands of login attempts per day, all automated.

So here’s a simple, practical way to secure SSH without making your life difficult.

🔹 Step 1 — Check Who Is Currently Allowed to Log In

First, see if root login is enabled.

Open:

sudo nano /etc/ssh/sshd_config

Look for:

PermitRootLogin yes

If it’s yes, then anyone can try logging in as root — which is risky.

We’ll fix that in a moment.

🔑 Step 2 — Create a Normal User (If You Haven't Already)

You should have a regular user with sudo rights.

Create one:

sudo adduser adminuser

Then give sudo:

sudo usermod -aG sudo adminuser

Test it:

su - adminuser
sudo ls /

If that works → you're safe to disable root login later.

🔐 Step 3 — Set Up SSH Key Authentication (Highly Recommended)

On your local computer:

ssh-keygen

Keep pressing Enter unless you want a passphrase.

Your key will usually be here:

~/.ssh/id_rsa.pub

Copy it to the server:

ssh-copy-id adminuser@your_server_ip

If ssh-copy-id isn’t available, manually paste the key into:

~/.ssh/authorized_keys

on the server.

Now test logging in without password.

🚪 Step 4 — Disable Password Login (So Bots Can't Brute Force)

Once keys work, edit SSH config:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no
PermitRootLogin no

Restart SSH:

sudo systemctl restart ssh

⚠️ IMPORTANT
Make sure your SSH key login works before doing this.
Otherwise… you lock yourself out. And yes, I’ve done that before 🙃

🔄 Optional — Change SSH Port

This doesn’t replace security, but it reduces bot noise.

In:

sudo nano /etc/ssh/sshd_config

Change:

Port 2222

Restart SSH:

sudo systemctl restart ssh

Now connect using:

ssh -p 2222 adminuser@your_server_ip

🛡 Step 5 — Install Fail2Ban (To Block Attackers)

Fail2Ban watches logs and bans repeated failures.

Install:

sudo apt install fail2ban

or for CentOS/RHEL:

sudo yum install fail2ban

Start and enable:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Check status:

sudo fail2ban-client status

Bots won’t like you anymore 😄

👁 Step 6 — Check Login Attempts (Very Eye-Opening)

Run:

sudo tail -f /var/log/auth.log

or on CentOS:

sudo tail -f /var/log/secure

You'll probably see:

Failed password for invalid user admin from 45.xxx.xxx.xxx

Once you secure SSH, these attempts stop mattering.

🧩 Bonus Tips

Here are extra things I personally like to do:

✔ Allow only specific users

In sshd_config:

AllowUsers adminuser

✔ Disable SSH if you don’t need public access
Use a VPN instead.

✔ Use a firewall like UFW

sudo ufw allow 2222/tcp
sudo ufw enable

🎯 Final Thoughts

Securing SSH isn’t about being paranoid — it’s about being responsible.

With just a few changes:

✅ No more root login
✅ No more password guessing
✅ Attackers get banned automatically

And best of all…

👉 You sleep better.

Because the internet never stops scanning — but now your server is much harder to break into.

Advertisement
Back to Linuxserver