Skip to main content
BlogSecurity
SecurityDecember 5, 20259 min read

SSH Hardening Guide for Ubuntu Servers in 2026

Harden SSH on Ubuntu servers with key-only authentication, fail2ban, port changes, and modern cipher configurations to prevent brute-force attacks and unauthorized access.

Introduction

SSH is the primary entry point to every Linux server. A misconfigured SSH daemon is an open invitation for brute-force attacks, credential stuffing, and unauthorized access. Hardening SSH is one of the highest-impact security measures you can take, and it costs nothing but a few minutes of configuration.

This guide covers practical SSH hardening steps for Ubuntu 22.04 and 24.04 servers that follow CIS benchmark recommendations and real-world operational experience.

Disable Password Authentication

Key-based authentication is non-negotiable for production servers. Generate a key pair if you have not already:

ssh-keygen -t ed25519 -C "deploy@company.com"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

Then disable password authentication on the server:

sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

Restrict Root Login and Users

# Disable root login entirely
echo "PermitRootLogin no" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Allow only specific users
echo "AllowUsers deploy monitoring" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

Modern Cipher Configuration

Disable weak ciphers and use only strong, modern algorithms:

sudo tee /etc/ssh/sshd_config.d/ciphers.conf > /dev/null <<EOF
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
EOF

Install and Configure Fail2ban

Fail2ban monitors log files and bans IPs that show malicious patterns:

sudo apt install -y fail2ban

sudo tee /etc/fail2ban/jail.local > /dev/null <<EOF
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
EOF

sudo systemctl enable fail2ban
sudo systemctl restart fail2ban

Additional Hardening

# Set idle timeout (5 minutes)
echo "ClientAliveInterval 300" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf
echo "ClientAliveCountMax 0" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Disable X11 forwarding
echo "X11Forwarding no" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Limit authentication attempts
echo "MaxAuthTries 3" | sudo tee -a /etc/ssh/sshd_config.d/hardening.conf

# Apply changes
sudo sshd -t && sudo systemctl restart sshd

Always test the configuration with sshd -t before restarting to avoid locking yourself out.

For a broader look at web server security, see our benchmark on Nginx vs Apache performance. Our security and compliance service provides comprehensive server auditing and hardening.

SSH hardening is a foundational security practice. By enforcing key-based authentication, restricting user access, using strong ciphers, and deploying fail2ban, you eliminate the vast majority of SSH-based attack vectors.

Talk to the engineer who will own your stack.

No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.

View Related Service Discuss