5 Tips to Harden SSH Server

In this tutorial, we will be looking at securing SSH server from unauthorized access. SSH is the primary way to remote into Linux VPS or cloud servers and also one of the primary attack vector by bad guys. It’s important that we secure it as much as possible.

Your SSH Server is Being Attacked

Run the following command on your Linux server and you will see how often malicious people are trying to get SSH access to your server. To be honest, some of my SSH servers are being attacked every minute.

sudo journalctl -xe | grep sshd

It’s very common for bad guy to brute-force attack the root user password. Here’s a snippet output of the above command on my Linux server.

sshd[27389]: Failed password for invalid user root from port 42803 ssh2
sshd[27389]: Failed password for invalid user root from port 42803 ssh2
sshd[27389]: Failed password for invalid user root from port 42803 ssh2
sshd[27389]: Received disconnect from 11:  [preauth]
sshd[27389]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root

Below are 5 tips to harden your SSH server against attacks.

Tip #1: Disable Root SSH Login

It’s a very bad idea to allow root user to login via SSH. It’s no secret that every Linux system has a user named root. Your server is vulnerable to brute-force attack if root is able to login via SSH. Instead, we can create another user that have the ability to SSH login and disable root SSH login. Thus, the attacker has to figure out both the user name and password.

Use useradd to create another user. Replace newuser with your preferred user name.

useradd newuser

set a password for the user:

passwd newuser

Verify that this new user can login via SSH and is able to use su - command to switch to root user. Then edit the SSH daemon configuration file.

nano /etc/ssh/sshd_config

Find the following line:

#PermitRootLogin yes

Change it to the following which disables root SSH login

PermitRootLogin no

Also add the following line at the end of this file. This line ensures the new user can login via SSH.

AllowUsers newuser

Save and close this file. Then restart SSH service

systemctl restart sshd

From here on out, only the new user can login via SSH and after that this user can switch to root using su - command.

If an attacker tries to login as a user with SSH disabled (such as root), you will see the following line in your SSH log.

Failed password for invalid user root

Here invalid means the user doesn’t exist on the system or has no SSH login permission. If a user who has SSH login permission typed a wrong password, then you will see a line like:

Failed password for the-username

Tip #2: Change SSH Listening Port

By default, SSH server listens on port 22. Although some say that crackers can use port scanner such as nmap to figure out what port SSH daemon listens on, but after changing the listening port of SSH, it almost eliminated all attacks against SSH on my server.

To change the SSH listening port, edit the SSH daemon configuration file.

nano /etc/ssh/sshd_config

Find this line:

Port 22

You can change the port to whatever port your like, just make sure that other programs on the server is not using the port. Typically you want to change it to a port between 1 and 1024.

Save and close the file. Then restart SSH.

systemctl restart sshd

When using SSH client, you need to specify the new port like below.

ssh [email protected] -p new-port-number

You also need to specify the new port when using ssh-copy-id and scp.

Tip #3: Scare Them Away

When the user tries to login via SSH, we can show a warning message to the user that if they are not authorized, they should go away. Or they will be prosecuted.

To show a warning message, edit the SSH daemon configuration file.

nano /etc/ssh/sshd_config

Find the following line:

#Banner none

Remove the pound sign (#). Then change none to a text file on your server like below.

Banner /etc/banner

In the /etc/banner file, we can add a warning message like the following. You can be creative and show your preferred message to bad guys.

This computer system is for authorized users only. 

All activities are logged and regularly checked.

Unauthorized use of the system will be prosecuted to the extent of law. 


Save the configuration file, then restart SSH service.

Tip #4: Restrict IP Addresses Using Firewall

The IP address of your home computer is most likely a dynamic IP address. Servers on the other hand have fixed IP address. On a public-facing SSH server, we can configure iptables firewall to allow certain IP addresses to connect to SSH server and deny all other IP addresses. Having more than one server makes it easy for you to restrict IP addresses because servers have fixed IP address.

Try to find some low-end Linux VPS.

As a matter of fact, I have a single-core, 128MB Linux VPS for $6 per year, a single-core 512MB Linux VPS for $10 per year. They are not meant for hosting my Web site but for other purposes like backup server or email server. They also help me to implement IP address restriction in OpenSSH server. I don’t ssh into my main Linux server directly from my desktop computer. What I do is ssh into one of my low-end Linux VPSs and then from there ssh into my main Linux server.

I recommend finding at least two low-end Linux VPSs from different hosting providers, then add these fixed IP addresses to the allow list of OpenSSH server in case one of your hosting providers shut down their business.

Using iptables Firewall to restrict IP

To prevent the current SSH connections drops out, we need to allow established sessions with the following iptables command.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Then allow your own IP address to connect to the SSH port with the below command. Replace your-ip-address with your real IP address such as

sudo iptables -A INPUT -p tcp --dport 22 -s your-ip-address -j ACCEPT

Let me explain this command.

  • -A INPUT is used to append the above rule to the INPUT chain which deals with incoming traffic.
  • -p tcp specifies the protocol is TCP since SSH daemon listens on TCP port.
  • --dport 22 specifies the destination port is 22 which is the default SSH port. If you changed your SSH port, then you also need to adjust the port here.
  • -s your-ip-address specifies the source IP address.
  • -j ACCEPT means jump to the ACCEPT target which will allow this SSH connection.

You can add multiple firewall rules to allow multiple IP addresses.

After that’s done, reject all other IP addresses to connect to your SSH server. In the below command, we didn’t specify the source IP address which means all other IP addresses will be disallowed.

sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

Check iptables firewall rules with the below command.

sudo iptables -L

If later you want to add a new IP address to the allowed list, then you need to insert a new rule.

sudo iptables -I INPUT -p tcp --dport 22 -s your-ip-address -j ACCEPT

The -I option is used to insert the above firewall rule to the INPUT chain. By default, it will insert the above rule as the first rule in the INPUT chain. Note that if we append this new rule to the bottom of INPUT chain, then this rule has no effect because it comes after the “reject all other IP” rule.

Remember that iptables firewall rules by default are not persistent across reboots. If you accidentally locked yourself out by iptables firewall, you just need to reboot your server in the control panel of your hosting provider to reset iptables firewall rules.

Tip #5: Enable PrintLastLog

PrintLastLog is used to tell you when did the last login happened and from what IP address. You can see it after you ssh into your server. It looks something like this:

Last login: Thu Jun  2 04:10:08 2016 from

If you don’t recognize the IP address then you know something is not right. To enable PrintLastLog, edit SSH daemon configuration file.

nano /etc/ssh/sshd_config

Find this line:

#PrintLastLog yes

Remove the pound sign. Save the file and restart SSH service.

Comments, questions or suggestions are always welcome. If you think this post is useful, 🙂 share it with your friends on social media. This is the first part of hardening SSH server. Stay tuned for the second part.

Rate this tutorial
[Total: 2 Average: 3]
  • Adam York

    A quick, painless way of hardening your ssh server is to install sshguard. It will monitor failed attempts to log into your ssh server and automatically firewall rules to block offending ip addresses. Sometimes this blacklisting approach is preferable to the whitelisting approach mentioned above. Thanks.

    • When more than one people needs to ssh login, blacklisting is preferable. There are other situations as well. Thanks for mentioning sshguard.