Code-Memo

SSH hardening

Key goals

• Reduce brute-force risk
• Prevent password credential stuffing
• Restrict who can access and what they can do

Use key-based auth

Create a key (client):

ssh-keygen -t ed25519 -C "me@host"

Install public key:

ssh-copy-id user@server

Harden sshd_config (common settings)

Edit /etc/ssh/sshd_config (or a file in /etc/ssh/sshd_config.d/):

• PermitRootLogin no
• PasswordAuthentication no (if keys are set up)
• PubkeyAuthentication yes
• AllowUsers alice bob (or AllowGroups ssh-users)
• MaxAuthTries 3
• LoginGraceTime 30

Validate + reload:

sudo sshd -t
sudo systemctl reload ssh

Reduce exposure

• Bind to internal interface only (where possible)
• Use a firewall to allow port 22 only from trusted networks
• Consider moving off port 22 only as minor noise reduction (not a real control)

Brute-force protection

Fail2Ban example (conceptual):

• Monitor auth logs
• Ban IPs after repeated failures

Related

• Intrusion detection (Fail2Ban, auditd)
• Firewall configuration