← Catalog Matrix

Deployment Execution Blueprint

---
title: How to Secure SSH Access on Ubuntu and Debian Servers
description: A step-by-step security configuration guide to harden OpenSSH, disable password authentication, and change the default SSH port.
category: Server Config
slug: secure-ssh-server-hardening
keywords: secure ssh ubuntu, disable ssh password auth, change ssh port linux, openssh hardening boilerplate, secure server access
---

### Overview & Problem Matrix
Leaving your production Linux server's Secure Shell (SSH) access parameters mapped to stock, out-of-the-box system configurations transforms your node into an immediate target for aggressive global botnets. 

Millions of automated malicious scripts scan public IPv4 and IPv6 subnets constantly, attempting relentless dictionary brute-force attacks against your root user access credentials on the default port 22. If a bot successfully guesses a credential or exploits a weak configuration, your entire database infrastructure, deployment code assets, and application keys can be dropped, modified, or held for ransom.

### Implementation Guide & Setup Steps
To isolate your server nodes from automated network sweeps and restrict entry pathways exclusively to verified cryptographic key signatures, execute these steps:

1. Copy Your Local Public Keys to the Server: Before altering any server-side configurations, confirm that your local development machine's public SSH key is explicitly whitelisted on the host. Run this command from your local machine's terminal interface:
   $ ssh-copy-id -p 22 -i ~/.ssh/id_rsa.pub user@yourserver.com

2. Backup Your Active Configuration: Connect to your server shell and clone a baseline copy of your working environment parameters to guarantee a safe rollback pathway if formatting goes wrong:
   $ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

3. Inject the Hardened Settings: Access the primary configuration document using absolute editing clearance and match your variables to the optimized parameters block below:
   $ sudo nano /etc/ssh/sshd_config

4. Perform an SSH Syntax Validation Audit: Run the internal daemon compiler check to verify there are no formatting bugs, broken declarations, or duplicate property assignments:
   $ sudo sshd -t
   
   # Note: If this command returns zero console output text, your formatting rules are completely valid.

5. Cycle Your Security Service Layer: Reload your system services to activate your hardened parameters instantly without severing your current shell session:
   $ sudo systemctl restart ssh

6. Confirm Setup and Test Connection: CRITICAL SECURITY SAFEGUARD: Do not close your active server configuration terminal window. Open an entirely separate command tab window on your local machine and verify entry using the new port and key parameters:
   $ ssh -p 2222 user@yourserver.com

# Backup existing config before making updates: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# Path: /etc/ssh/sshd_config

# 1. Change to a non-standard port to stop automated background brute-force scans instantly
Port 2222

# 2. Restrict server root administration access exclusively to verified keys, disabling cleartext passwords
PermitRootLogin prohibit-password

# 3. Restrict authorization strictly to cryptographic SSH key signatures
PubkeyAuthentication yes

# 4. Completely disable password authentication attempts across all connections
PasswordAuthentication no
PermitEmptyPasswords no

# 5. Prevent keyboard-interactive password prompt fallbacks to block legacy spambots
KbdInteractiveAuthentication no

# 6. Set tight connection timeout constraints to drop stale idle sessions automatically
ClientAliveInterval 300
ClientAliveCountMax 2

# 7. Explicitly limit who is allowed to authenticate (Optional - uncomment to enforce)
# AllowUsers developer_admin system_deployer