Skip to main content
Prerequisites:
  • Linux server with root/sudo access
  • SSH access to your server
  • Windows machine with command prompt access (for SSH key generation)
Securing SSH access is critical for protecting your Linux server from unauthorized access. This guide covers creating a personal user, setting up SSH keys, and hardening your SSH configuration.

Creating a Personal User

Before disabling root login, create a personal user account with sudo privileges.
1

Create a new user

Create a new user account (replace username with your desired username):
sudo adduser username
You’ll be prompted to set a password and provide optional user information.
2

Add user to sudo group

Grant sudo privileges to the new user:
sudo usermod -aG sudo username
This allows the user to execute commands with administrative privileges.
3

Verify user creation

Switch to the new user and verify sudo access:
su - username
sudo whoami
If successful, sudo whoami should return root.

Setting Up SSH Keys

SSH keys provide a more secure authentication method than passwords. We’ll generate keys on Windows and transfer them to your server.

Generating SSH Keys on Windows

1

Open Command Prompt

Open Command Prompt (cmd) or PowerShell on your Windows machine.
2

Generate SSH key pair

Generate a 4096-bit RSA key pair:
ssh-keygen -b 4096
You’ll be prompted to:
  • Choose a file location (press Enter for default: %USERPROFILE%\.ssh\id_rsa)
  • Set a passphrase (optional but recommended for extra security)
3

Verify key generation

Your keys are now located at:
  • Private key: %USERPROFILE%\.ssh\id_rsa (keep this secret!)
  • Public key: %USERPROFILE%\.ssh\id_rsa.pub (this is what you’ll upload)

Uploading SSH Key to Server

1

Create .ssh directory on server

SSH into your server and create the .ssh directory for your user:
mkdir ~/.ssh
chmod 700 ~/.ssh
The chmod 700 ensures only you can read, write, and execute in this directory.
2

Upload public key via SCP

From your Windows machine, use SCP to upload your public key:
scp %USERPROFILE%\.ssh\id_rsa.pub root@SERVER_IP:~/.ssh/authorized_keys
Replace SERVER_IP with your server’s IP address or hostname.
Make sure you’re still logged in as root at this point. After we secure SSH, you’ll use your personal user account.
3

Set correct permissions

On the server, set the correct permissions for the authorized_keys file:
chmod 600 ~/.ssh/authorized_keys
This ensures only you can read and write the file.
4

Test SSH key authentication

From your Windows machine, test the connection:
ssh root@SERVER_IP
You should be able to connect without entering a password (unless you set a passphrase on your key).

Adding SSH Key for Personal User

If you want to use SSH keys with your personal user account:
1

Create .ssh directory for user

sudo mkdir /home/username/.ssh
sudo chmod 700 /home/username/.ssh
2

Copy authorized_keys

sudo cp ~/.ssh/authorized_keys /home/username/.ssh/
sudo chown username:username /home/username/.ssh/authorized_keys
sudo chmod 600 /home/username/.ssh/authorized_keys

Securing SSH Configuration

Now we’ll harden your SSH configuration to prevent common attacks.
Critical: Before making these changes, ensure you have:
  1. Created a personal user with sudo access
  2. Successfully tested SSH key authentication
  3. A backup SSH session open (in case you get locked out)
1

Backup SSH configuration

Create a backup of your SSH configuration:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
2

Edit SSH configuration

Open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
3

Change SSH port

Find the line #Port 22 and change it to a random high port (between 1024 and 65535):
Port 23456
Choose a random port number. Common high ports to avoid: 2222, 22222. Pick something random like 23456, 45678, or 54321.
4

Set AddressFamily to inet

Find the line #AddressFamily any and change it to:
AddressFamily inet
This restricts SSH to IPv4 only, which is more secure and prevents IPv6-related issues.
5

Disable root login

Find the line #PermitRootLogin yes and change it to:
PermitRootLogin no
This prevents anyone from logging in as root, even with a valid key.
6

Disable password authentication

Find the line #PasswordAuthentication yes and change it to:
PasswordAuthentication no
This forces all users to use SSH key authentication, making brute-force attacks impossible.
7

Save and exit

Save the file (Ctrl+O, Enter, Ctrl+X in nano).
8

Test configuration

Before restarting SSH, test the configuration for syntax errors:
sudo sshd -t
If there are no errors, you’ll see no output.
9

Restart SSH service

Restart the SSH service to apply changes:
sudo systemctl restart sshd
# or on some systems
sudo systemctl restart ssh

Connecting After Configuration Changes

After securing SSH, you’ll need to connect differently:
1

Connect with new port

From your Windows machine, connect using the new port:
ssh -p 23456 username@SERVER_IP
Replace 23456 with your chosen port and username with your personal user.
2

Update SSH config (optional)

Create or edit %USERPROFILE%\.ssh\config on Windows to simplify connections:
Host myserver
    HostName SERVER_IP
    Port 23456
    User username
    IdentityFile ~/.ssh/id_rsa
Then you can simply connect with:
ssh myserver

Complete SSH Configuration Example

Here’s a complete hardened SSH configuration (/etc/ssh/sshd_config) with recommended settings: 
# Port configuration
Port 23456
AddressFamily inet

# Authentication
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Security settings
Protocol 2
X11Forwarding no
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2

# Logging
SyslogFacility AUTH
LogLevel INFO

Verifying Security Settings

Check that your SSH configuration is secure: 
# Check SSH service status
sudo systemctl status sshd

# View current SSH configuration
sudo sshd -T | grep -E "port|permitrootlogin|passwordauthentication|addressfamily"

# Check active SSH connections
sudo netstat -tulpn | grep sshd

Troubleshooting

If you’re locked out and don’t have console access:
  1. Use your hosting provider’s console/KVM access
  2. Boot into recovery mode if available
  3. Mount the filesystem and edit /etc/ssh/sshd_config
  4. Change PermitRootLogin no to PermitRootLogin yes temporarily
  5. Restart SSH and fix your user account
Make sure:
  1. The new port is allowed in UFW: sudo ufw allow 23456/tcp
  2. Your firewall isn’t blocking the port
  3. You’re using the correct port: ssh -p 23456 username@SERVER_IP
  4. SSH service is running: sudo systemctl status sshd
Verify:
  1. Public key is in ~/.ssh/authorized_keys
  2. Permissions are correct:
    • ~/.ssh should be 700
    • ~/.ssh/authorized_keys should be 600
  3. Private key matches public key on server
  4. SELinux isn’t blocking (if enabled): sudo restorecon -R ~/.ssh
Check file ownership:
sudo chown -R username:username ~/.ssh
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

Security Checklist

✓ User Management

  • Created personal user with sudo access
  • Root login disabled

✓ SSH Keys

  • Generated 4096-bit SSH key pair
  • Public key uploaded to server
  • Password authentication disabled

✓ SSH Configuration

  • Changed to random high port
  • AddressFamily set to inet
  • Root login disabled

✓ Firewall

  • UFW configured with new SSH port
  • Only necessary ports open
Best Practice: Always keep a backup SSH session open when making SSH configuration changes. This prevents you from being locked out if something goes wrong.