SSH Security Best Practices: Protect Your VPS from Unauthorized Access

Introduction

SSH is the primary gateway to your VPS. Unsecured SSH invites brute‑force attacks. This guide covers essential SSH security practices to protect your Hostxpeed VPS.

1. Disable Root Login

Edit /etc/ssh/sshd_config: PermitRootLogin no. Create a sudo user instead.

2. Use SSH Keys Only

Generate an Ed25519 key: ssh-keygen -t ed25519. Copy it and disable password authentication.

3. Change the Default Port

Set Port 50222 in sshd_config, then update your firewall.

4. Install Fail2ban

sudo apt install fail2ban – it blocks IPs after repeated failures.

5. AllowUsers Directive

Restrict SSH to specific users and/or IP ranges with AllowUsers youruser@192.168.1.0/24.

6. Two-Factor Authentication (2FA)

Use libpam-google-authenticator to add TOTP verification.

7. Idle Timeout

Set ClientAliveInterval 300 and ClientAliveCountMax 2 to disconnect idle sessions.

8. Disable Unused Features

Turn off TCP forwarding, X11 forwarding, and gateway ports unless needed.

9. Use a Bastion Host

For multiple VPS, route SSH through a hardened jump host.

10. Monitor Logs

Check /var/log/auth.log for failed attempts. Use logwatch for daily summaries.

11. SSH Certificate Authority (CA)

For teams, use a CA to sign user keys and simplify revocation.

12. Harden Crypto

Use modern key exchange and ciphers: KexAlgorithms curve25519-sha256, etc.

13. Port Knocking

Hide SSH behind a secret sequence of connection attempts using knockd.

14. Client-Side Hardening

Configure ~/.ssh/config to control multiplexing and host key verification.

15. Regular Updates

Keep OpenSSH updated via unattended upgrades.

16. Ed25519 Keys over RSA

Ed25519 is smaller and more secure. Migrate existing keys.

17. Audit with Lynis

Run sudo lynis audit system to check SSH configuration.

18. Isolate SSH in a Container

Run SSHD inside a minimal container to limit compromise impact.

19. Incident Response Plan

Prepare steps to rotate keys, rebuild VPS, and analyze logs after a breach.

20. Use Hardware Tokens

YubiKey or other FIDO2 devices provide phishing‑resistant authentication.

Conclusion

Start with disabling root login and using keys, then add fail2ban. Regularly audit your configuration.