_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

SSH Hardening

30. 10. 2025 Updated: 27. 03. 2026 1 min read intermediate

SSH is the main entry point to servers and the most common target of automated attacks. Every server with a public IP faces thousands of SSH brute-force attempts daily. Proper hardening is the first and most important step after deploying a server — without it, it is only a matter of time before an attacker gains access.

Keys

ssh-keygen -t ed25519 -C 'admin@server'
ssh-copy-id user@server

Ed25519 keys are more secure and faster than RSA. Protect the private key with a strong passphrase and never copy it to servers. For larger organizations, consider SSH CA (Certificate Authority), which eliminates the need to distribute public keys to every server — instead, the server trusts certificates signed by the CA.

sshd Configuration

PasswordAuthentication no
PermitRootLogin no
AllowUsers admin deploy
Port 2222
MaxAuthTries 3
KexAlgorithms curve25519-sha256
Ciphers [email protected],[email protected]

Disabling passwords is the most effective measure — it eliminates an entire category of brute-force attacks. Changing the port from 22 to a non-standard one reduces the volume of automated scans by 99%. AllowUsers restricts login to specific users, preventing access through system accounts.

Fail2ban

sudo apt install fail2ban
# /etc/fail2ban/jail.local
[sshd]
enabled = true
maxretry = 3
bantime = 3600

Fail2ban monitors logs and automatically blocks IP addresses after repeated failed attempts. For production servers, increase bantime to 86400 (24 hours) and set findtime to 600 seconds. Fail2ban supports email notifications and integration with firewalld or nftables.

Additional Measures

  • 2FA — Google Authenticator PAM module adds a second layer of protection
  • Port knocking — knockd requires a specific packet sequence before opening the SSH port
  • Firewall — allow SSH access only from trusted IPs and VPN
  • SSH CA — centralized access management instead of distributing keys to every server

SSH Hardening Is a Must

Minimum for every server: key authentication, disabled passwords, disabled root login, and fail2ban. These four steps eliminate most common attacks.

sshsecurityhardening
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

SSH: 12 Tricks You Probably Don't Know

Advanced SSH tricks — tunnelling, multiplexing, jump hosts, SOCKS proxy.

Confidential Computing — Confidential Computations in the Cloud

Confidential Computing in 2026: TEE enclaves, encrypted memory, multi-party computation and practical deployment in...

IoT Security in Practice — How to Secure Thousands of Devices

IoT security architecture: device identity, secure boot, OTA updates, network segmentation. MQTT security,...

Jailbreak Prevention

Jailbreak prevention for LLMs and AI agents — security measures against misuse, detection of harmful prompts and...