Linux VPS SSH Hardening: Port, Keys, Fail2Ban
Harden SSH security on your Linux VPS: port changing, key-based authentication, Fail2Ban setup, and sshd_config settings. Step-by-step security guide.
Can Kaya
Security Specialist
When you set up a new Linux VPS, the SSH service starts running on port 22 with default settings and allows root login with a password. This configuration is the first target of automated brute-force bots. SSH hardening is the first and most critical step you need to take to prevent unauthorized access to your server. In this guide, we'll walk through key-based authentication, sshd_config optimization, port changes, and Fail2Ban setup step by step.
Why Is SSH Hardening Necessary?
An SSH service exposed to the internet becomes a target of automated scanning bots within minutes. These bots perform brute-force attacks using common usernames (root, admin, ubuntu) and leaked password databases. The risks of default SSH configuration:
-
Port 22 is the default target All automated scanners try port 22 first. Using a different port significantly reduces scanning noise.
-
Password-based login can be cracked Even a strong password can be found in leaked databases. SSH keys with 4096-bit RSA or Ed25519 are cryptographically practically impossible to crack.
-
Direct root access risk Direct login as root means full system control in case of a successful attack. A regular user + sudo structure provides an additional security layer.
Key-Based Authentication
An SSH key pair creates a private key (stays on your computer) and a public key (uploaded to the server). During connection, the server performs cryptographic verification with your private key; no password is transmitted.
Step 1: Generate a Key Pair (Local Computer)
# Generate Ed25519 key (modern and secure)
ssh-keygen -t ed25519 -C "[email protected]"
# RSA 4096-bit alternative for older systems
ssh-keygen -t rsa -b 4096 -C "[email protected]"
# It will ask for a passphrase - always set a strong passphrase
# Keys: ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public)Step 2: Upload the Public Key to the Server
# Automatic upload with ssh-copy-id
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip
# Manual upload (if ssh-copy-id is not available)
cat ~/.ssh/id_ed25519.pub | ssh user@server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"⚠️ Important Warning: Always test that key-based login works before disabling password authentication. Open a new terminal window and connect with ssh -i ~/.ssh/id_ed25519 user@server-ip. If you can log in without being asked for a password, you can safely proceed.
sshd_config Security Settings
The SSH server configuration is located in the /etc/ssh/sshd_config file. By applying the following settings, you can significantly improve security.
# Force Protocol 2 (old protocol 1 is insecure)
Protocol 2
# Disable root login
PermitRootLogin no
# Disable password login (key required)
PasswordAuthentication no
ChallengeResponseAuthentication no
# Enable key-based login
PubkeyAuthentication yes
# Prevent login with empty password
PermitEmptyPasswords no
# Maximum authentication attempts
MaxAuthTries 3
# Concurrent session limit
MaxSessions 3
# Login timeout (seconds)
LoginGraceTime 30
# Disable X11 forwarding (unnecessary on servers)
X11Forwarding no
# Allow only specific users
AllowUsers deployer
# Connection keepalive check (every 60 sec, 3 attempts)
ClientAliveInterval 60
ClientAliveCountMax 3Restart the SSH service to apply changes:
# Validate configuration (shows errors if any)
sudo sshd -t
# If no errors, restart the service
sudo systemctl restart sshdChanging the SSH Port
Changing the port alone doesn't provide security (security through obscurity), but it eliminates 99% of automated scanning bots and dramatically reduces log noise. Choose a port between 1024-65535 that doesn't conflict with known services.
# 1. Change the port in sshd_config
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
# 2. Open the new port in the firewall (DO THIS FIRST!)
sudo ufw allow 2222/tcp
# 3. Restart the SSH service
sudo systemctl restart sshd
# 4. Test connection on the new port (SEPARATE terminal window)
ssh -p 2222 deployer@server-ip
# 5. If successful, close the old port
sudo ufw delete allow 22/tcp💡 Tip: You can avoid specifying the port each time by adding server details to the ~/.ssh/config file on your local computer: Host myserver → HostName server-ip → Port 2222 → User deployer
Brute-Force Protection with Fail2Ban
Fail2Ban monitors log files and automatically blocks IP addresses that make a certain number of failed login attempts using firewall rules.
# Installation
sudo apt install fail2ban -y
# Create local configuration file (don't edit jail.conf)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local[DEFAULT]
# Ban duration (1 hour)
bantime = 3600
# Monitoring window (10 minutes)
findtime = 600
# Maximum failed attempts
maxretry = 3
# Ban method
banaction = ufw
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
# Progressive banning for repeat offenders
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 604800# Start and enable the service
sudo systemctl enable --now fail2ban
# Check SSH jail status
sudo fail2ban-client status sshd
# List banned IPs
sudo fail2ban-client status sshd | grep "Banned IP"
# Unban an accidentally banned IP
sudo fail2ban-client set sshd unbanip 1.2.3.4Additional Security Measures
Security Checklist
| Measure | Impact Level | Difficulty |
|---|---|---|
| Key-based login + disable password | Very High | Easy |
| Disable root login | High | Easy |
| Fail2Ban setup | High | Easy |
| Port change | Medium | Easy |
| User restriction with AllowUsers | High | Easy |
| Two-factor authentication (2FA) | Very High | Medium |
For more comprehensive information on server security, check out the official OpenSSH sshd_config documentation. You can also easily apply these security steps on Hosted Cloud cloud servers.
Frequently Asked Questions
Does changing the SSH port really improve security?
It doesn't provide security on its own, but the vast majority of automated scanning bots only scan port 22. Changing the port reduces log noise and blocks non-targeted attacks. The real security comes from key-based login and Fail2Ban.
What happens if I lose my SSH key?
If password login is disabled and you've lost your only key, you won't be able to access the server via SSH. Therefore: (1) back up your key in a secure location, (2) make sure your provider has console access (VNC/IPMI), (3) authorize multiple keys.
Should I use Ed25519 or RSA?
Prefer Ed25519. It provides equivalent security to RSA 4096-bit with a shorter key size (256-bit), and signing and verification operations are faster. Only use RSA 4096-bit if you need compatibility with very old systems.
What should I do if Fail2Ban bans my own IP?
Connect to the server through your provider's web console or VNC access and run sudo fail2ban-client set sshd unbanip YOUR-IP. To prevent this, add the line ignoreip = 127.0.0.1/8 YOUR-STATIC-IP in the jail.local file.
Conclusion
SSH hardening is the cornerstone of VPS security. Switching to key-based authentication, disabling root login, installing Fail2Ban, and changing the SSH port - these four steps block the vast majority of unauthorized access attempts to your server. Always test from a separate terminal window before applying changes and make sure your provider's console access is active.
Looking for a Secure and High-Performance VPS?
Get full root access, DDoS protection, and 24/7 technical support with Hosted Cloud cloud servers. Build your SSH security solid from day one.
Explore Cloud Server Plans →Can Kaya
Security Specialist
CISSP-certified security expert creating content on cybersecurity, DDoS protection, and server hardening.
Comments coming soon