LightYear
/Docs
DocsSecurityHarden SSH Access on Linux Servers

Harden SSH Access on Linux Servers

Secure your SSH configuration by disabling password authentication, changing the default port, and using fail2ban.

intermediate
10 min read
LightYear Docs Team
Updated April 24, 2026
sshsecurityhardeningfail2banlinux
Ready to get started?

Security Architecture Diagram

SSH is the primary attack surface for Linux servers. Hardening SSH access significantly reduces the risk of unauthorised access.

Step 1 — Disable Password Authentication

Edit the SSH daemon configuration:

>_BASH
$nano /etc/ssh/sshd_config

Set these values:

INI
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
MaxAuthTries 3
LoginGraceTime 20

Restart SSH:

>_BASH
$systemctl restart sshd

[!WARNING] Ensure your SSH key is working before disabling password authentication. Test in a second terminal session first.

Step 2 — Change the Default SSH Port (Optional)

Changing the SSH port from 22 reduces automated scanning noise:

INI
Port 2222

Update your firewall to allow the new port:

>_BASH
$ufw allow 2222/tcp
$ufw delete allow 22/tcp

Connect with the new port:

>_BASH
$ssh -p 2222 deploy@YOUR_SERVER_IP

Step 3 — Install and Configure fail2ban

fail2ban monitors log files and bans IPs that show malicious signs (too many failed login attempts):

>_BASH
$apt install -y fail2ban

Create a local configuration file:

>_BASH
$cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$nano /etc/fail2ban/jail.local

Update the SSH jail settings:

INI
[sshd]
enabled  = true
port     = 2222
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3
bantime  = 3600
findtime = 600

Start and enable fail2ban:

>_BASH
$systemctl enable fail2ban
$systemctl start fail2ban

Check banned IPs:

>_BASH
$fail2ban-client status sshd
OUTPUT
Status for the jail: sshd
|- Filter
|  |- Currently failed: 2
|  |- Total failed:     47
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 3
   |- Total banned:     12
   `- Banned IP list:   192.168.1.100 10.0.0.5 203.0.113.1

Step 4 — Use SSH Key Types

Prefer Ed25519 keys over RSA for better security and performance:

>_BASH
$ssh-keygen -t ed25519 -C "server-access-key"

If you must use RSA, use at least 4096 bits:

>_BASH
$ssh-keygen -t rsa -b 4096 -C "server-access-key"

Step 5 — Restrict SSH Access by IP (via Firewall)

The most effective protection is to restrict SSH access to known IP addresses in your LightYear firewall group:

ProtocolPortSourceDescription
TCP2222203.0.113.10/32SSH from office
TCP2222198.51.100.5/32SSH from home

[!TIP] Use a VPN (like WireGuard) to access SSH rather than exposing the SSH port at all. This provides the strongest protection.

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy