//------------------------------------------------------------------- //-------------------------------------------------------------------
Linux VPS SSH Hardening

Hardening SSH Access on Linux VPS Servers: Keys, Ports, Fail2ban, and Permissions

When you deploy a server, one of the essential things is securing SSH access. SSH is one of the most common targets for automated login attempts and brute-force attacks on internet-facing servers. In this Linux VPS SSH Hardening guide, you will learn how to reduce that risk step by step by using stronger authentication, safer SSH settings, better file permissions, and Fail2ban protection.

If you manage a Linux VPS, this checklist will help you build a more secure SSH setup without adding unnecessary complexity.

Prerequisites for Linux VPS SSH Hardening

Before you start this Linux VPS SSH Hardening guide, make sure you have an active server, such as a Linux VPS from PerLod Hosting, with SSH access already enabled.

Follow the steps below to start the Linux VPS SSH hardening checklist.

Create a Sudo User on Linux VPS

As you must know, working as the root user is dangerous. You must create a standard user with administrative privileges to perform the configurations securely.

To add a new user on Linux, you can run the command below:

adduser username

To grant sudo access to the new user, you can run the commands below:

usermod -aG sudo username  #Debian/Ubuntu
usermod -aG wheel username #RHEL/CentOS

Once you are done, switch to the new user with the following command:

su - username

Generate and Copy SSH Keys to Linux VPS

It is highly recommended to use SSH keys instead of passwords, which eliminates the risk of brute-force attacks by requiring cryptographic authentication.

To generate a key pair locally, you can run the command below:

ssh-keygen -t ed25519 -C "em***@*****le.com"

Copy the public key to your Linux VPS using the command below:

ssh-copy-id username@your_server_ip

Alternatively, you can paste your local ~/.ssh/id_ed25519.pub text into the server’s ~/.ssh/authorized_keys file.

Configure SSH Directory Permissions

Setting the right permissions stops other users from reading or changing your SSH keys. You can use the commands below to configure the right SSH directory permissions for more safety.

Set SSH directory permissions with the command below:

sudo chmod 700 ~/.ssh

Secure the authorized keys file with the following command:

sudo chmod 600 ~/.ssh/authorized_keys

Also, restrict the global SSH configuration file with the command below:

sudo chmod 600 /etc/ssh/sshd_config

Secure SSH Configuration and Change SSH Port

At this point, you can update the main SSH settings to make remote access more secure. The goal is to reduce common risks by disabling unsafe login options and allowing only safer authentication methods.

Open the SSH configuration file with your desired text editor:

sudo nano /etc/ssh/sshd_config

Disable root login by changing PermitRootLogin yes to:

PermitRootLogin no

Disable password authentication by changing PasswordAuthentication yes to:

PasswordAuthentication no

Limit authentication attempts by setting:

MaxAuthTries 3

This drops connections after multiple failures.

Also, you must change the default port 22 to a non-standard port. This reduces the volume of automated background scans. Find the port directive and change it with your custom value:

Port 2222

Once you are done, save and close the file.

After changing the SSH port, you must update your firewall with the commands below:

sudo ufw allow 2222/tcp  #Ubuntu/Debian
sudo firewall-cmd --permanent --add-port=2222/tcp  #RHEL/CentOS

Then, reload the firewall to apply the changes:

sudo ufw reload  #Ubuntu/Debian
sudo firewall-cmd --reload  #RHEL/CentOS

Install and Secure Fail2ban SSH Jail

Even with a secure SSH setup, bots will still try to attack your server. Fail2ban protects you by automatically banning IP addresses that fail to log in too many times.

Install Fail2ban with the commands below:

sudo apt install fail2ban  #Debian/Ubuntu
sudo dnf install epel-release && sudo dnf install fail2ban  #RHEL/CentOS

Once your installation is completed, create a safe local configuration copy of the jail file with the command below:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

You must update the Fail2ban jail configuration to reflect your custom SSH port and define strict IP banning rules.

Open the jail configuration file with the command below:

sudo nano /etc/fail2ban/jail.local

Enable the SSH daemon section by adding the following line under [sshd]:

enabled = true

Update the listening port by changing port = ssh to:

port = 2222

Define the ban rules by setting the following values:

maxretry = 3
findtime = 300
bantime = 3600

Once you are done, save and close the file.

Before closing your current terminal session, you must restart the services and verify that your new configuration works to avoid lockouts.

Restart the SSH service using the command below:

sudo systemctl restart sshd

Restart the Fail2ban service with the following command:

sudo systemctl restart fail2ban

Open a new local terminal and test your connection with:

ssh -p 2222 username@your_server_ip

That’s it, you are done with the basic Linux VPS SSH hardening checklist.

For more advanced monitoring and detection, you can combine Fail2ban with OSSEC. To see a full example of this setup, check out our OSSEC and Fail2ban tutorial.

FAQs

What if I can’t connect to my server after changing the SSH port?

To avoid lockouts, always keep your first SSH window open while testing your new settings in a separate terminal. If you do make a mistake and get locked out, you can use the emergency web console from your provider to get back in and fix it.

Why is SSH key authentication better than using a strong password?

SSH passwords can be guessed or brute‑forced, but SSH keys are much harder to crack. When you disable password logins and use keys only, you block normal brute‑force attacks on your server.

Why does the server require strict file permissions for SSH keys?

SSH keys give direct access to your server, so they must stay private. If other users or apps can read your key files, they can copy them and break your security, and SSH may even refuse to use keys with loose permissions.

Conclusion

Securing SSH should be one of the first things you do on any new Linux VPS. By following this Linux VPS SSH Hardening checklist, you turned a default setup into a much stricter one with keys, safer settings, better permissions, a custom port, and Fail2ban.

These steps make brute‑force attacks much harder, while keeping your normal SSH access simple.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles on Linux VPS Hosting.

For further reading:

Ubuntu vs Debian for VPS Hosting

Best Control Panels for Linux VPS Server

Post Your Comment

Perlod Logo White

PerLod delivers high-performance hosting with real-time support and unmatched reliability.

Facebook-f Twitter

Navigation

Useful Links

Contact us

  • Dubai, UAE
  • info[at]perlod.com

Payment methods

payment gateway
Perlod Logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.