Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
SSH Security Intermediate

SSH hardening: key security practices for servers

Harden SSH security on your VPS or dedicated server. Disable root login, use SSH keys, change default port, firewall rules, fail2ban, and regular updates.

UnderHost NOC Network Operations
12 min read Updated June 2026
On this page

SSH (Secure Shell) is critical infrastructure for managing a VPS or dedicated server. A poorly configured SSH service is one of the most common attack vectors. This guide covers industry-standard hardening techniques to secure your server from unauthorized access, brute force attacks, and exploitation.

Why SSH hardening matters

Attackers constantly scan the internet for SSH servers with weak configurations. Common attack patterns include:

  • Brute force attacks - Attempting thousands of password combinations on default accounts like root
  • Dictionary attacks - Using lists of common passwords against known usernames
  • Exploiting outdated SSH versions - Using known vulnerabilities in unpatched SSH daemons
  • Root account compromise - Gaining direct root access if password authentication is allowed

The techniques in this guide mitigate these threats through defense-in-depth.

1. Use SSH key authentication instead of passwords

SSH key authentication is exponentially more secure than password authentication because:

  • Keys are mathematically impossible to brute force (2048-bit or 4096-bit keys)
  • Keys never transmit over the network—only cryptographic proof
  • No password to guess or intercept

Generate an SSH key pair (if you don't have one)

On your local computer (Windows/Mac/Linux):

ssh-keygen -t rsa -b 4096 -f ~/.ssh/underhost_key -C "your-email@example.com"

This creates:

  • ~/.ssh/underhost_key - Your private key (KEEP SECRET)
  • ~/.ssh/underhost_key.pub - Your public key (goes on server)

Add your public key to the server

Step 1: Connect to your server with password

ssh root@your-server-ip

Step 2: Create .ssh directory and authorized_keys file

mkdir -p ~/.ssh
chmod 700 ~/.ssh

Step 3: Add your public key

echo "YOUR_PUBLIC_KEY_CONTENT_HERE" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Replace YOUR_PUBLIC_KEY_CONTENT_HERE with the contents of your underhost_key.pub file.

Step 4: Test key login (don't disconnect yet!)

ssh -i ~/.ssh/underhost_key root@your-server-ip

If this works, keep the connection open before disabling password auth.

2. Disable root login and password authentication

The root account is the most common target for brute force attacks. Disable it immediately after setting up SSH keys.

Edit SSH configuration

nano /etc/ssh/sshd_config

Find and change these lines:

SettingChange toWhy
PermitRootLogin yesPermitRootLogin noPrevent root login entirely
#PasswordAuthentication yesPasswordAuthentication noAllow only SSH keys
#PubkeyAuthentication yesPubkeyAuthentication yesEnable key auth (uncomment if needed)

After editing, restart SSH:

systemctl restart sshd
TEST BEFORE DISABLING PASSWORD AUTH

Do NOT disable password authentication until you've tested SSH key login works. If you lock yourself out, you may need console access (IPMI) to regain access.

3. Change the default SSH port

SSH defaults to port 22, which is the first port attackers scan. Changing it to an unpredictable port significantly reduces automated attacks.

Change SSH port

nano /etc/ssh/sshd_config

Find the line:

#Port 22

Change to (pick a random port between 1024-65535, e.g., 42571):

Port 42571

Restart SSH:

systemctl restart sshd

Update firewall rules

Make sure your firewall allows the new port:

ufw allow 42571/tcp
ufw reload

Then connect using the new port:

ssh -i ~/.ssh/underhost_key -p 42571 your-user@your-server-ip

Update any scripts or tools that connect to SSH to use the new port number.

4. Firewall rules for SSH

Restrict SSH access to trusted IP addresses only:

ufw allow from 203.0.113.0/24 to any port 42571 proto tcp
ufw deny 42571/tcp
ufw reload

Replace 203.0.113.0/24 with your office or home IP range.

If you don't know your IP:

curl ifconfig.me

5. Install fail2ban for brute force protection

fail2ban automatically blocks IP addresses that attempt too many failed SSH logins.

Install fail2ban

apt update && apt install fail2ban -y

Configure SSH jail

nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 42571
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 3600

This blocks IPs with 5 failed logins within 10 minutes for 1 hour.

Restart fail2ban:

systemctl restart fail2ban

Check ban status:

fail2ban-client status sshd

6. Keep SSH updated

Security patches fix vulnerabilities. Keep your system and SSH daemon updated:

apt update && apt upgrade -y

Check your SSH version:

ssh -V

Subscribe to security advisories for your operating system.

SSH Hardening Checklist

Before hardening, ensure you can regain access

Have console/IPMI access available in case you lock yourself out. UnderHost provides IPMI console access via CustomerPanel.

Use this checklist to verify your SSH hardening:

  • ☐ Generated SSH key pair locally
  • ☐ Copied public key to server's ~/.ssh/authorized_keys
  • ☐ Tested SSH key login works
  • ☐ Set PermitRootLogin no in sshd_config
  • ☐ Set PasswordAuthentication no in sshd_config
  • ☐ Changed SSH port from 22 to custom port
  • ☐ Updated firewall rules to allow new SSH port
  • ☐ Tested SSH login on new port works
  • ☐ Installed and configured fail2ban
  • ☐ Run apt update && apt upgrade -y
  • ☐ Verify SSH version is current
  • ☐ Document your custom SSH port somewhere safe

Related: SSH access basics | SSH key authentication setup | VPS firewall configuration | How to secure your website

Was this article helpful?

Need help securing your server?

Our support team can help you implement SSH hardening and other security best practices.

Get Support CustomerPanel

Related articles

Back to Security