infraDecoded > Tutorials > Linux Guides > How to Harden SSH Access on Ubuntu

How to Harden SSH Access on Ubuntu

July 19, 2025 Linux Guides

🛡️ Harden SSH Access on Ubuntu (Step-by-Step)

Linux, Windows, Cloud — One Fix at a Time

🔐 Why Harden SSH?

SSH is the gateway to your server. If it’s weak, everything is at risk.

  • SSH is targeted by brute-force bots
  • Default configs leave root open
  • Simple missteps lead to server compromise

This guide helps lock it down — step by step.

🛠️ Step 1: Update Your Server

Always start with the latest security patches:


sudo apt update && sudo apt upgrade -y

🚫 Step 2: Disable Root Login

Direct root SSH access is risky. Disable it:


sudo nano /etc/ssh/sshd_config

Edit the following line:


PermitRootLogin no

🔑 Step 3: Enable SSH Key Authentication

Generate a key pair on your local machine:


ssh-keygen -t rsa -b 4096

Copy the public key to the server:


ssh-copy-id youruser@your_server_ip

🛑 Step 4: Disable Password Authentication

Once key-based login works, disable password access:


sudo nano /etc/ssh/sshd_config


PasswordAuthentication no

🚪 Step 5: Change Default SSH Port

Change from port 22 to avoid scanners:


sudo nano /etc/ssh/sshd_config


Port 2222

Allow it in UFW:


sudo ufw allow 2222/tcp

👥 Step 6: Limit SSH Access to Specific Users

Only allow trusted users:


AllowUsers yourusername

Or use a group:


sudo groupadd sshusers
sudo usermod -aG sshusers yourusername


AllowGroups sshusers

🧱 Step 7: Enable UFW Firewall

Turn on Ubuntu’s firewall and allow SSH:


sudo ufw enable
sudo ufw allow 2222/tcp

🛡️ Step 8: Prevent Brute-Force with Fail2Ban

Install Fail2Ban:


sudo apt install fail2ban -y

Create the config:


sudo nano /etc/fail2ban/jail.local


[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Restart the service:


sudo systemctl restart fail2ban

🔄 Step 9: Restart SSH Service

Apply your changes:


sudo systemctl restart sshd

Tip: Open a second session to test before logging out!

✅ SSH Hardening Summary

  • Ubuntu updated
  • Root login disabled
  • SSH key authentication enabled
  • Password login disabled
  • SSH port changed
  • Firewall configured
  • Fail2Ban running
  • Only allowed users permitted

📝 Final Thoughts

SSH is the most targeted service on any server. Harden it first — always.

Keep logs checked with:


sudo tail -f /var/log/auth.log

This one-time setup gives you a long-term security shield.

Thanks for reading. Visit InfraDecoded.com for more tutorials!

Helping you fix Linux, Windows, and Cloud — one step at a time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us
News, Insights & Events

Related articles