Skip to main content
Back to Blog
SecurityDecember 5, 20259 min read

SSH Hardening Guide for Ubuntu Servers in 2026

Harden SSH on Ubuntu servers with key-only authentication, fail2ban, port changes, and modern cipher configurations to prevent brute-force attacks and unauthorized access.

Introduction

SSH is the primary entry point to every Linux server. A misconfigured SSH daemon is an open invitation for brute-force attacks, credential stuffing, and unauthorized access. Hardening SSH is one of the highest-impact security measures you can take, and it costs nothing but a few minutes of configuration.

This guide covers practical SSH hardening steps for Ubuntu 22.04 and 24.04 servers that follow CIS benchmark recommendations and real-world operational experience.

Disable Password Authentication

Key-based authentication is non-negotiable for production servers. Generate a key pair if you have not already:

ssh-keygen -t ed25519 -C "deploy@company.com"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

Then disable password authentication on the server:

sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

Restrict Root Login and Users

# Disable root login entirely
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Allow only specific users
echo "AllowUsers deploy monitoring" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

Modern Cipher Configuration

Disable weak ciphers and use only strong, modern algorithms:

sudo tee /etc/ssh/sshd_config.d/ciphers.conf > /dev/null <<EOF
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
EOF

Install and Configure Fail2ban

Fail2ban monitors log files and bans IPs that show malicious patterns:

sudo apt install -y fail2ban

sudo tee /etc/fail2ban/jail.local > /dev/null <<EOF
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
EOF

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban

Additional Hardening

# Set idle timeout (5 minutes)
echo "ClientAliveInterval 300" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf
echo "ClientAliveCountMax 0" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Disable X11 forwarding
echo "X11Forwarding no" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Limit authentication attempts
echo "MaxAuthTries 3" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Apply changes
sudo sshd -t && sudo systemctl restart sshd

Always test the configuration with sshd -t before restarting to avoid locking yourself out.

For a broader look at web server security, see our benchmark on Nginx vs Apache performance. Our security and compliance service provides comprehensive server auditing and hardening.

SSH hardening is a foundational security practice. By enforcing key-based authentication, restricting user access, using strong ciphers, and deploying fail2ban, you eliminate the vast majority of SSH-based attack vectors.

Need help with this?

Our team handles this kind of work daily. Let us take care of your infrastructure.

View Related Service Book a Free Call