Skip to main content
All server-side SSH settings are controlled through the /etc/ssh/sshd_config file. After making any changes, restart the SSH service to apply them.
Back up sshd_config before making changes: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Disable Password Authentication

If you have configured SSH keys, disable password authentication to improve security. SSH key-based auth is significantly harder to brute-force.
1

Open sshd_config

sudo nano /etc/ssh/sshd_config
2

Disable password authentication

Find PasswordAuthentication and set it to no:
PasswordAuthentication no
3

Restart SSH

sudo service ssh restart

Change the SSH Daemon Port

By default, SSH listens on port 22. Changing this to a non-standard port reduces exposure to automated scanning and brute-force attempts.
1

Open sshd_config

sudo nano /etc/ssh/sshd_config
2

Set a custom port

Find the Port line and update it:
#Port 22
Port 1234
3

Restart SSH

sudo service ssh restart
After changing the port, connect using ssh -p 1234 username@host or update your host configuration file.

Limit Which Users Can Log In

Restrict SSH access to specific users or groups to reduce the attack surface.
1

Open sshd_config

sudo nano /etc/ssh/sshd_config
2

Add AllowUsers or AllowGroups

If these directives don’t exist, add them anywhere in the file:
AllowUsers user1 user2 user3
AllowGroups groupname
3

Restart SSH

sudo service ssh restart

Disable Root Login

Allowing direct root login over SSH is a significant security risk. It is best practice to disable it and use a regular user with sudo instead.
1

Open sshd_config

sudo nano /etc/ssh/sshd_config
2

Disable root login

Find PermitRootLogin and set it to no:
PermitRootLogin no
3

Restart SSH

sudo service ssh restart
Make sure you have at least one non-root user with SSH access and sudo privileges before disabling root login, otherwise you may lock yourself out of the server.

Build docs developers (and LLMs) love

Get started for freeTalk to us