5 Effective Tips for Securing SSH Server on Ubuntu

Is your Ubuntu server's SSH access secure enough?

Securing SSH access is one of the most basic and essential steps for any Linux server, especially when it hosts critical services like websites, databases, trading servers, or GPU nodes. In this guide, we'll cover five practical and technical solutions for SSH Hardening on Ubuntu It includes actionable instructions, configuration examples, and adaptable tips for trading, gaming, AI, and web hosting scenarios.

Overview and objectives

The aim of this guide is to provide five key points that combine the principles of Confidentiality, Reduced attack range, Intrusion detection and response and increase Sustainability Covers.

• Replacing authentication with SSH key Instead of a password
• Access restriction (port, user, IP address)
• Implementing protective tools such as Fail2Ban and UFW/iptables
• Monitoring and Audit (logs, sshd -T, review tools)
• Use two-factor authentication or Bastion/Jumphost methods

1) Use strong SSH keys and disable passwords

Use of SSH keys Instead of a password, it provides resistance to brute force attacks and easier access management. New keys such as ed25519 They are especially recommended if you need to be compatible with older systems. RSA 4096 Use.

Creating a secure key on the client:

ssh-keygen -t ed25519 -a 100 -o -f ~/.ssh/id_ed25519 -C "user@host"

Or (for compatibility):

ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -C "user@host"

Transferring the key to the server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

Example of important settings in /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Upload SSH configuration:

sudo systemctl reload sshd

Example for GPU node scenario (AI)

Recommended for GPU server used by ML/AI team Access groups Create and issue a unique key for each user. Use an encrypted filesystem for the key folder and enable AppArmor (or SELinux if available) is also recommended.

2) Access Restriction: Port, Users, Addresses and AllowUsers/AllowGroups

Reduce access level or attack surface Reduces intrusion attempts. Common methods include port changes, user restrictions, and restrictions based on IP addresses.

Change default port:

Port 2222

Restrict users or groups:

AllowUsers deploy [email protected]/24
# or
AllowGroups sshusers

IP-based restriction with UFW:

sudo ufw allow from 203.0.113.5 to any port 2222 proto tcp

Disabling high-risk features:

AllowTcpForwarding no
X11Forwarding no
PermitTunnel no

Reduce time and effort for failed logins:

LoginGraceTime 30
MaxAuthTries 3
MaxSessions 2

3) Brute-force prevention and attack management: Fail2Ban, UFW and Anti-DDoS

Automated and brute force attacks are common; tools such as Fail2Ban And host-level firewalls can block malicious traffic. Also, use Anti-DDoS services to combat Layer 4 and Layer 7 attacks.

Installing and configuring Fail2Ban:

sudo apt install fail2ban
# create /etc/fail2ban/jail.d/sshd.local with:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Basic firewall configuration with UFW:

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable

If you need stronger protection from the network layer, use Anti-DDoS service Use our company. Our anti-DDoS servers can be combined with BGP/Anycast and CDN networks to stop malicious traffic at the network edge.

Comparing locations and the impact on security

Across the company's 85+ global locations, some data centers have network features such as edge firewalls, BGP, and hardware-based Anti-DDoS. For trading or security-sensitive servers, it's important to choose a location with Anti-DDoS support and a short network path to financial markets (e.g., London, Frankfurt, New York, Singapore, Tokyo).

4) Monitoring, Audit and Intrusion Detection

Knowing who connected to the server and what attempts failed is essential. Logs and audit tools help detect intrusions quickly.

Useful commands to check:

sshd -T
ss -tulpn | grep ssh
sudo tail -n 200 /var/log/auth.log
last -a

To analyze logs, you can use rsyslog, logwatch Or use central log services (e.g. Elasticsearch/Graylog). Other useful tools include ssh-audit and Lynis And IDS/IPS like OSSEC Or Meerkat They are.

5) Two-factor authentication, Bastion and access management (PAM, 2FA)

Adding a second layer of authentication prevents an attacker from gaining access if a key is stolen or the account is compromised. Options include using Google Authenticator (PAM), enterprise MFA services, and using Bastion/Jumphost.

Install Google Authenticator PAM:

sudo apt install libpam-google-authenticator
# then run for each user:
google-authenticator

Configuring PAM and sshd:

# add to /etc/pam.d/sshd
auth required pam_google_authenticator.so

# in /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes

For organizations, using MFA services like Duo Or Okta It is also recommended to place a Bastion Host With 2FA, centralized logging, and unified IAM policies, it's the best approach for large teams.

Practical tips for managing keys and courses

Periodic key rotation, removal of inactive keys, and use of identity management (LDAP/AD/SSO) for centralized control are essential for maintaining security.

Suggested sshd_config configuration example

The following example shows the recommended settings (further adjustments may be required based on your specific needs):

Protocol 2
Port 2222
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
LogLevel VERBOSE
AllowUsers deploy [email protected]

Additional and practical tips for specific scenarios

Traders: Use a dedicated trading VPS with a location close to exchanges, measure response times with network tools, and keep SSH open only from specific IPs. Use Anti-DDoS and BGP networking.

Game: For VPS gaming, use a low ping location and private network. Control administrative access through Bastion.

AI and rendering: Select GPU servers in AI-specific locations, restrict SSH access with keys and 2FA, and use AllowGroups for different teams.

Web server and WordPress: Use SSH Keys for administrators, secure SFTP for content uploads, and CI/CD with SSH deploy keys.

Service and infrastructure information

Service company in more than 85 global locations Offers: Various types of VPS servers for trading and gaming, high-performance cloud servers, graphics servers (GPU), anti-DDoS servers, hosting and domain services, CDN, and BGP-supported network.

• For public services, use a location with Anti-DDoS.
• For secure access, Bastion is recommended on a private network and accessed via VPN or static IP.
• Choose GPU servers in AI-specific locations for the lowest latency.
• To protect the application layer, include CDN and WAF alongside other security measures.

Summary and Quick Implementation Checklist

10-step checklist for implementing the above:

1. Creating and using a secure SSH key (ed25519 Or RSA4096)
2. Deactivation PasswordAuthentication and PermitRootLogin
3. Change the default SSH port and restrict additional permissions
4. Installation Fail2Ban and configuration UFW/iptables
5. IP restriction and usage AllowUsers/AllowGroups
6. Enabling logging and sending logs to the central service
7. Implement 2FA or MFA for sensitive access
8. Using Bastion/Jumphost for remote access
9. Check the configuration with sshd -T and audit tools
10. Periodically check keys, remove old keys, and rotate keys

Frequently Asked Questions