Skip to main content
Chapter 9 Security & DevOps Hardening

SSH Hardening: Keys, Ports, Fail2ban

7 min read Lesson 53 / 65 Preview

SSH is your front door — lock it

Most VPSes are compromised through SSH. Most compromises happen because of three settings most people never change.

The three settings

  1. PasswordAuthentication no — keys only, no passwords
  2. PermitRootLogin no — never log in as root
  3. AllowUsers claw — only your one non-root user can SSH in

/etc/ssh/sshd_config:

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers claw
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
sudo systemctl restart ssh

Why a non-default port

Moving SSH off port 22 cuts log spam by ~99%. It is not real security on its own — a determined scanner finds you anyway — but it makes your logs readable, which is what matters for spotting real attacks.

Fail2ban

sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban

Default config bans IPs after 5 failed auths for 10 minutes. With PasswordAuthentication no, the only attempts you ever see are bots probing — and they get banned.

Verify

  • New terminal: ssh -p 2222 claw@<vps> should work
  • ssh root@<vps> should be denied
  • ssh claw@<vps> (default port) should be denied

If any of those three is wrong, fix it before the next lesson.

Next Lesson UFW Firewall: Open the Right Doors, Close the Rest
Engr Mejba Ahmed

Engr Mejba Ahmed

Claude Code Expert · Online

👋

Hey there!

Quick Actions

WhatsApp Instant reply

Chat on WhatsApp

+880 1723 741224 · Instant reply

Popular Questions

Engr Mejba Ahmed is connected
Engr Mejba Ahmed is typing...
Engr Mejba Ahmed avatar

✉ Want me to follow up? Drop your email

Engr Mejba Ahmed avatar

📞 Connect Directly

Choose how you'd like to reach me

WhatsApp

+880 1723 741224

Email

[email protected]

✓ Details sent! I'll get back to you shortly.

Powered by OpenAI

335+

Blog Posts

25

AI Courses

63

Projects

Services & Expertise

Pricing & Process

Learning & Resources

Connect & Support