🛡️ SSH Server Hardening Checklist

Use this simple list to quickly verify that you've implemented all the essential security measures on your Linux server.

1. Key-Based Authentication Setup

Status	Action Required	Verification Check
☐	Generate an ED25519 Key Pair on your local machine.	Private Key (`id_ed25519`) exists locally.
☐	Set a strong passphrase for your private key.	Prompted for passphrase, not password, upon login.
☐	Copy the Public Key to the server.	Public key is in `~/.ssh/authorized_keys` on the server.
☐	Test login using only the key and passphrase.	Successful login without server password.

Status	Action Required	Verification Check
☐	Set `PasswordAuthentication` to `no`.	Check `/etc/ssh/sshd_config`.
☐	Set `PermitRootLogin` to `no`.	Cannot SSH in as the `root` user directly.
☐	Change the default `Port 22` to a custom high port (e.g., `2222`).	Check `/etc/ssh/sshd_config`.
☐	Open the new custom port in your server's firewall (`ufw` or `firewalld`).	Firewall status (`ufw status` or `firewall-cmd --list-all`) shows the new port as allowed.
☐	Restart the SSH service.	`sudo systemctl status ssh` shows the service is running.

Status	Action Required	Verification Check
☐	Install Fail2ban.	Package is installed (`fail2ban`).
☐	Configure the `[sshd]` jail in `jail.local`.	`enabled = true` and `port` matches your custom port.
☐	Start and Enable the Fail2ban service.	`sudo systemctl status fail2ban` is Active (running).
☐	Verify Fail2ban is monitoring the SSH jail.	`sudo fail2ban-client status sshd` shows the jail running.

Status	Action Required	Verification Check
☐	Local Private Key Permission set correctly.	`ls -ld ~/.ssh/id_ed25519` shows permissions are `r--------` (400).
☐	Server `.ssh` Directory Permission set correctly.	`ls -ld ~/.ssh` (on server) shows permissions are `drwx------` (700).
☐	Server `authorized_keys` Permission set correctly.	`ls -l ~/.ssh/authorized_keys` (on server) shows permissions are `-rw-------` (600).

Since the checklist is for your readers to use offline or manually, they have two simple options:

Print and Mark: They can print the checklist and physically mark the boxes with a pen or pencil.
Copy and Edit: They can copy the text from your article and paste it into their own text editor (like Notepad, VS Code, etc.). There, they can manually replace the empty box (☐) with a checked box (☑) or an 'X'.

Example of Manual Editing:

Status	Action Required
☐	Set `PasswordAuthentication` to `no`.
☑	Set `PasswordAuthentication` to `no`. (Marked as complete)