🛡️ SSH Server Hardening Checklist

Step 1: Key-Based Authentication

1.1

Generate ED25519 Key Pair (Local Machine)

ssh-keygen -t ed25519

1.2

Set a strong passphrase for the private key.

(Done during generation)

1.3

Copy the Public Key to the server.

ssh-copy-id user@server_ip

1.4

Test login using only the key and passphrase.

ssh user@server_ip

---

---

---

---

Step 2: Disable Password Login

2.1

Edit the SSH config file.

sudo nano /etc/ssh/sshd_config

2.2

Set PasswordAuthentication to no.

PasswordAuthentication no

2.3

Set PermitRootLogin to no.

PermitRootLogin no

2.4

Restart the SSH service.

sudo systemctl restart ssh

---

---

---

---

Step 3: Change Default Port

3.1

Edit the SSH config file.

sudo nano /etc/ssh/sshd_config

3.2

Set Port to a custom port (e.g., 2222).

Port 2222

3.3

Open the new port in the firewall.

sudo ufw allow 2222/tcp

3.4

Restart the SSH service.

sudo systemctl restart ssh

---

---

---

---

Step 4: Install and Configure Fail2ban

4.1

Install Fail2ban.

sudo apt install fail2ban or sudo yum install fail2ban

4.2

Create a local configuration copy.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

4.3

Enable the [sshd] jail and set the custom port.

enabled = true and port = 2222 in jail.local

4.4

Start/Enable Fail2ban.

sudo systemctl enable fail2ban

4.5

Verify Fail2ban status.

sudo fail2ban-client status sshd

---

---

---

---

Troubleshooting & Verification (Post-Setup)

T.1

Verify correct permissions on the local private key.

chmod 400 ~/.ssh/id_ed25519

T.2

Verify correct permissions on server's .ssh directory.

chmod 700 ~/.ssh (on server)

T.3

Verify correct permissions on server's authorized_keys.

chmod 600 ~/.ssh/authorized_keys (on server)

T.4

Confirm connecting via the new custom port works.

ssh -p 2222 user@server_ip