Security & Monitoring

OpenSSH Server Hardening Cheatsheet

Complete guide to hardening OpenSSH servers covering authentication methods, security settings, connection configuration, feature restrictions, logging, monitoring, and regular maintenance for secure SSH access.

#openssh #ssh #security #hardening #server-security #authentication

Ground your SSH strategy in platform data—start from the VPSMetrics home base and track how access controls impact uptime in the performance dashboard.

When picking hardened infrastructure, dive into the benchmark library, stack providers side-by-side in the VPS comparison tool, and review vendor policies in the provider directory.

Sign In to Download

Free account required

SSH Configuration File

Main configuration file: 
/etc/ssh/sshd_config
After making changes, always test the configuration and restart the SSH service: 
$ sudo sshd -t                    # Test configuration
$ sudo systemctl restart sshd     # Restart SSH service

Table of Contents

1. Essential Security Settings 2. Authentication Configuration 3. Connection Settings 4. Feature Restrictions 5. Logging & Monitoring 6. Firewall Integration 7. Maintenance & Auditing 8. Quick Reference Commands

Essential Security Settings

Core security configurations that should be implemented on every SSH server.

Keep OpenSSH Up to Date

Regularly update OpenSSH to patch security vulnerabilities and get the latest features.

Ubuntu/Debian: 
$ sudo apt update
$ sudo apt upgrade openssh-server
CentOS/RHEL: 
$ sudo yum update openssh-server
Check version: 
$ ssh -V

Disable SSH Root Logins

Prevent direct root access via SSH. Use sudo for administrative tasks instead.

# Edit /etc/ssh/sshd_config
PermitRootLogin no
Important: Ensure you have a non-root user with sudo privileges before disabling root login!

Change Default Port

Change SSH from default port 22 to reduce automated attacks. Choose a port between 1024-65535.

# Edit /etc/ssh/sshd_config
Port 2222

# Don't forget to update firewall rules
$ sudo ufw allow 2222/tcp
$ sudo ufw delete allow 22/tcp

Disable Unused SSH Features (SSHv1)

Disable deprecated SSH protocol version 1 and other unused features.

# Edit /etc/ssh/sshd_config
Protocol 2
Note: Modern OpenSSH versions (7.0+) only support Protocol 2 by default. This setting may not be needed on newer installations.

When the basics are locked down, cross-check broader system tasks with the Linux hardening checklist, and validate network exposure using the diagnostics tools hub before rolling updates to production.

Authentication Configuration

Configure secure authentication methods to protect against unauthorized access.

Use SSH Keys with Passphrases

Generate and use SSH key pairs for authentication. Always protect keys with strong passphrases.

Generate SSH key pair: 
$ ssh-keygen -t ed25519 -C "[email protected]"
# Or use RSA with 4096 bits
$ ssh-keygen -t rsa -b 4096 -C "[email protected]"
Copy public key to server: 
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
Enable public key authentication: 
# Edit /etc/ssh/sshd_config
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Disable Password-Based SSH Login

After setting up SSH keys, disable password authentication to prevent brute-force attacks.

# Edit /etc/ssh/sshd_config
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Warning: Test SSH key login thoroughly before disabling password authentication!

Disable User SSH Passwordless Connection Requests

Prevent connections without any authentication.

# Edit /etc/ssh/sshd_config
PermitEmptyPasswords no

Configure a Limit for Password Attempts

Limit the number of authentication attempts per connection to prevent brute-force attacks.

# Edit /etc/ssh/sshd_config
MaxAuthTries 3
MaxSessions 2

Implement Two-Factor Authentication (2FA)

Add an extra layer of security with Google Authenticator or similar TOTP solutions.

Install Google Authenticator: 
$ sudo apt install libpam-google-authenticator
Configure PAM: 
# Add to /etc/pam.d/sshd
auth required pam_google_authenticator.so
Enable in SSH config: 
# Edit /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Setup for user: 
$ google-authenticator

Reinforce identity workflows with the Linux hardening checklist, and keep testing credential flows using the automation recipes in our security tools library.

Connection Settings

Configure connection timeouts and session limits to prevent resource exhaustion.

Configure SSH Idle Timeout

Automatically disconnect idle SSH sessions to prevent unauthorized access from unattended terminals.

# Edit /etc/ssh/sshd_config
ClientAliveInterval 300        # Send keepalive every 5 minutes
ClientAliveCountMax 2          # Disconnect after 2 failed keepalives (10 minutes total)
Calculation: Timeout = ClientAliveInterval × ClientAliveCountMax = 300 × 2 = 600 seconds (10 minutes)

Set Login Grace Time

Limit the time window for completing authentication to prevent connection hoarding.

# Edit /etc/ssh/sshd_config
LoginGraceTime 30              # 30 seconds to complete login

Funnel these signals into the monitoring toolset, correlate spikes with infrastructure metrics on the performance dashboard, and rehearse your response plans with the ethical hacking roadmap.

Feature Restrictions

Disable unnecessary features to reduce attack surface and potential vulnerabilities.

Disable X11 Forwarding

Disable X11 forwarding unless explicitly required for GUI applications over SSH.

# Edit /etc/ssh/sshd_config
X11Forwarding no

Disable TCP/Port Forwarding

Prevent SSH tunneling unless needed for specific use cases.

# Edit /etc/ssh/sshd_config
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no

Disable Agent Forwarding

Disable SSH agent forwarding to prevent key hijacking vulnerabilities.

# Edit /etc/ssh/sshd_config
AllowAgentForwarding no

Restrict User Access

Limit SSH access to specific users or groups only.

# Edit /etc/ssh/sshd_config
# Allow specific users only
AllowUsers user1 user2

# Or allow specific groups only
AllowGroups sshusers

# Deny specific users
DenyUsers baduser1 baduser2

Validate every rule with the port scanner, and compare provider network policies through the VPS comparison tool before you replicate firewall templates across data centers.

Logging & Monitoring

Enable comprehensive logging and monitoring to detect and respond to security incidents.

Enable SSH Logging

Configure detailed logging for all SSH activities.

# Edit /etc/ssh/sshd_config
LogLevel VERBOSE               # Or INFO for less detail
SyslogFacility AUTH

Monitor SSH Logs

Regularly review SSH logs for suspicious activities.

View SSH authentication logs: 
$ sudo tail -f /var/log/auth.log          # Ubuntu/Debian
$ sudo tail -f /var/log/secure            # CentOS/RHEL
Check failed login attempts: 
$ sudo grep "Failed password" /var/log/auth.log
Check successful logins: 
$ sudo grep "Accepted" /var/log/auth.log

Install & Configure Fail2Ban

Automatically ban IPs with multiple failed login attempts.

Install Fail2Ban: 
$ sudo apt install fail2ban
Configure SSH jail: 
# Create /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
Restart Fail2Ban: 
$ sudo systemctl restart fail2ban
$ sudo fail2ban-client status sshd

Document each review in your runbooks, sync schedules with the Linux hardening checklist, and confirm audit cadence with teams via the contact channel if you need tailored guidance.

Firewall Integration

Configure firewall rules to restrict SSH access and add an extra layer of protection.

Implement Firewall Rules (UFW)

Configure UFW to allow SSH only from trusted IPs or networks.

Basic UFW setup: 
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw allow 22/tcp
$ sudo ufw enable
Allow SSH from specific IP: 
$ sudo ufw allow from 192.168.1.100 to any port 22
Allow SSH from subnet: 
$ sudo ufw allow from 192.168.1.0/24 to any port 22
Rate limiting: 
$ sudo ufw limit 22/tcp

iptables Firewall Rules

Alternative firewall configuration using iptables.

Allow SSH with rate limiting: 
$ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
$ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
Allow from specific IP: 
$ sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT

Maintenance & Auditing

Regular maintenance and auditing practices to keep your SSH server secure.

Regularly Audit SSH Server Configuration

Periodically review and test your SSH configuration for security compliance.

Test SSH configuration: 
$ sudo sshd -t                    # Test for syntax errors
Review active SSH connections: 
$ who                             # Show logged in users
$ w                               # Show who is logged in and what they're doing
Review authorized keys: 
$ cat ~/.ssh/authorized_keys      # Check your authorized keys
Audit with ssh-audit: 
$ sudo apt install ssh-audit
$ ssh-audit localhost

Key Management Best Practices

Maintain good SSH key hygiene and management practices.

  • Rotate SSH keys regularly (every 6-12 months)
  • Remove unused keys from authorized_keys file
  • Use different keys for different servers/purposes
  • Set proper permissions: chmod 600 ~/.ssh/authorized_keys
  • Revoke keys immediately when employees leave
  • Document which keys are authorized and why

Quick Reference Commands

Essential commands for managing your SSH server.

Test SSH configuration

$ sudo sshd -t

Restart SSH service

$ sudo systemctl restart sshd
$ sudo systemctl status sshd

View current SSH configuration

$ sudo sshd -T

Check active SSH connections

$ sudo netstat -tnpa | grep 'ESTABLISHED.*sshd'
$ ss -o state established '( dport = :ssh or sport = :ssh )'

Kill specific SSH session

$ sudo pkill -9 -t pts/0          # Replace pts/0 with the actual terminal

Generate strong SSH key

$ ssh-keygen -t ed25519 -a 100 -C "comment"
$ ssh-keygen -t rsa -b 4096 -C "comment"

Backup SSH configuration

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)

OpenSSH Hardening Checklist Summary

Keep OpenSSH Up to Date
Implement Two-Factor Authentication
Change Default Port
Configure SSH Idle Timeout
Enable SSH Logging
Use SSH Keys with Passphrases
Implement Firewall Rules
Monitor SSH Logs
Disable Password-Based Login
Disable SSHv1 Protocol
Regular Configuration Audits
Disable Passwordless Connections
Disable SSH Root Logins
Limit Password Attempts
Disable X11 Forwarding
Use Public Key Authentication
Back to Cheatsheets

Secure Your VPS Infrastructure

SSH security is critical for protecting your servers. Find secure, reliable VPS providers with excellent security features and performance benchmarks on VPSMetrics.

View VPS Benchmarks More Cheatsheets

Want to understand how we test? Meet the team on the About page, and share your SSH automation questions through the contact form. Before storing log data, review our privacy policy to align on data handling.

Keep iterating with real-time metrics from the performance dashboard, and expand your playbook with the Linux networking cheatsheet plus our ethical hacking roadmap for offense-informed defense.