SSH Hardening Checklist for Public VPS

Every public-facing server gets port-scanned within minutes of going online. Default SSH settings are decent but not great. Here is the checklist I run through on every new VPS.

Disable password authentication

In /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

PermitRootLogin prohibit-password

This allows root login with key but not password, which is fine for automation. For stricter setups, use no and sudo from an unprivileged user.

Change the default port

Port 22 is hammered continuously. Moving to 22222 or similar cuts the noise by 99 percent:

Port 22222

Remember to open the new port in your firewall before restarting sshd.

Install fail2ban

For the remaining brute-force attempts:

apt install fail2ban

In /etc/fail2ban/jail.d/sshd.conf:

[sshd]
enabled = true
port = 22222
maxretry = 3
bantime = 86400

Test after changes

Before restarting sshd with a new config, test it in a second window:

sshd -t

Keep your existing session open while testing. If something is wrong, you can still fix it.

Disable password authentication#

Restrict root login#

Change the default port#

Install fail2ban#

Test after changes#

Disable password authentication

Restrict root login

Change the default port

Install fail2ban

Test after changes