{"id":1998,"date":"2026-06-07T07:57:05","date_gmt":"2026-06-07T07:57:05","guid":{"rendered":"https:\/\/ukspeed.co.uk\/blog\/?p=1998"},"modified":"2026-06-14T07:34:02","modified_gmt":"2026-06-14T07:34:02","slug":"how-to-harden-ssh-on-a-linux-vps-10-security-steps-beyond-just-changing-the-default-port","status":"publish","type":"post","link":"https:\/\/ukspeed.co.uk\/blog\/how-to-harden-ssh-on-a-linux-vps-10-security-steps-beyond-just-changing-the-default-port\/","title":{"rendered":"How to Harden SSH on a Linux VPS: 10 Security Steps Beyond Just Changing the Default Port"},"content":{"rendered":"\n<p>Secure Shell (SSH) remains the primary method for managing Linux servers in 2026. Whether you&#8217;re running a WordPress website, <a href=\"https:\/\/ukspeed.co.uk\/blog\/vps-hosting-guide-benefits\/\">VPS<\/a> hosting platform, database server, development environment, or enterprise application, SSH provides administrators with powerful remote access capabilities. However, SSH is also one of the most frequently targeted services on the internet. Automated bots continuously scan public IP addresses searching for vulnerable SSH servers, weak passwords, outdated configurations, and exposed root accounts. Many administrators believe changing SSH from port 22 to another port is sufficient protection. While changing the default port may reduce some automated noise, it does not truly secure your server.<\/p>\n\n\n\n<p>Real SSH security requires a layered approach. In this guide, we&#8217;ll explore 10 essential SSH hardening techniques that significantly improve Linux VPS security beyond simply changing the default port.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why SSH Security Matters<\/h2>\n\n\n\n<p>Every public-facing Linux VPS is constantly being scanned. Within minutes of deploying a new server, you may observe:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Brute-force login attempts<\/li>\n\n\n\n<li>Credential stuffing attacks<\/li>\n\n\n\n<li>Automated vulnerability scans<\/li>\n\n\n\n<li>Botnet reconnaissance<\/li>\n\n\n\n<li>Exploit attempts<\/li>\n<\/ul>\n\n\n\n<p>If attackers gain SSH access, they can potentially:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Steal data<\/li>\n\n\n\n<li>Install malware<\/li>\n\n\n\n<li>Deploy ransomware<\/li>\n\n\n\n<li>Launch attacks against others<\/li>\n\n\n\n<li>Delete websites<\/li>\n\n\n\n<li>Access customer information<\/li>\n<\/ul>\n\n\n\n<p>SSH security should therefore be considered one of the highest priorities for any server administrator.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding the Threat Landscape in 2026<\/h2>\n\n\n\n<p>Modern attackers rarely target servers manually. Instead, they rely on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automated botnets<\/li>\n\n\n\n<li>AI-assisted attack tools<\/li>\n\n\n\n<li>Credential databases<\/li>\n\n\n\n<li>Mass scanning platforms<\/li>\n<\/ul>\n\n\n\n<p>A poorly secured VPS may receive thousands of login attempts per day. The goal of SSH hardening is to reduce the attack surface and eliminate common attack vectors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1: Change the Default SSH Port<\/h2>\n\n\n\n<p>Although this should not be your only security measure, changing the default port remains useful. Default SSH:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Port 22\n<\/code><\/pre>\n\n\n\n<p>Example custom port:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Port 22022\n<\/code><\/pre>\n\n\n\n<p>Configuration file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/ssh\/sshd_config\n<\/code><\/pre>\n\n\n\n<p>Benefits include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced automated scanning<\/li>\n\n\n\n<li>Lower log noise<\/li>\n\n\n\n<li>Fewer brute-force attempts<\/li>\n<\/ul>\n\n\n\n<p>However, attackers can still discover open ports through port scanning. This should be viewed as a minor security improvement rather than a complete solution.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2: Disable Root Login<\/h2>\n\n\n\n<p>Allowing direct root access is one of the most common SSH security mistakes. Instead of:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PermitRootLogin yes\n<\/code><\/pre>\n\n\n\n<p>Use:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PermitRootLogin no\n<\/code><\/pre>\n\n\n\n<p>This forces attackers to compromise a normal user account before attempting privilege escalation. Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Smaller attack surface<\/li>\n\n\n\n<li>Improved auditing<\/li>\n\n\n\n<li>Better access control<\/li>\n<\/ul>\n\n\n\n<p>Create an administrative user and use sudo when elevated privileges are required.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3: Disable Password Authentication<\/h2>\n\n\n\n<p>Passwords remain one of the weakest forms of authentication. Even strong passwords can be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phished<\/li>\n\n\n\n<li>Leaked<\/li>\n\n\n\n<li>Reused<\/li>\n\n\n\n<li>Brute-forced<\/li>\n<\/ul>\n\n\n\n<p>Instead, use SSH key authentication. Disable passwords:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PasswordAuthentication no\n<\/code><\/pre>\n\n\n\n<p>Enable keys:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PubkeyAuthentication yes\n<\/code><\/pre>\n\n\n\n<p>This single change dramatically improves SSH security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4: Use Strong SSH Keys<\/h2>\n\n\n\n<p>Not all SSH keys provide the same level of security. Modern recommendations include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ed25519<\/h3>\n\n\n\n<p>Generate:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh-keygen -t ed25519\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Smaller key size<\/li>\n\n\n\n<li>Faster operations<\/li>\n\n\n\n<li>Strong cryptographic security<\/li>\n<\/ul>\n\n\n\n<p>Avoid outdated key types whenever possible. Modern VPS deployments should prioritize Ed25519 keys.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 5: Restrict Login Users<\/h2>\n\n\n\n<p>Most servers only require SSH access for a small number of users. Instead of allowing everyone:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AllowUsers admin\n<\/code><\/pre>\n\n\n\n<p>Or:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AllowUsers admin deploy backup\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced attack surface<\/li>\n\n\n\n<li>Easier auditing<\/li>\n\n\n\n<li>Better access control<\/li>\n<\/ul>\n\n\n\n<p>Unauthorized accounts cannot attempt SSH logins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 6: Enable Fail2Ban Protection<\/h2>\n\n\n\n<p>Fail2Ban remains one of the most effective tools for blocking brute-force attacks. It monitors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authentication failures<\/li>\n\n\n\n<li>SSH logs<\/li>\n\n\n\n<li>Suspicious activity<\/li>\n<\/ul>\n\n\n\n<p>When thresholds are exceeded:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP addresses are automatically blocked<\/li>\n\n\n\n<li>Temporary bans are applied<\/li>\n\n\n\n<li>Attack traffic is reduced<\/li>\n<\/ul>\n\n\n\n<p>Installation:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install fail2ban -y\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automatic protection<\/li>\n\n\n\n<li>Reduced brute-force attempts<\/li>\n\n\n\n<li>Lower server load<\/li>\n<\/ul>\n\n\n\n<p>Fail2Ban should be considered mandatory for public-facing VPS servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 7: Limit Authentication Attempts<\/h2>\n\n\n\n<p>By default, SSH may allow multiple login attempts. Reduce this value:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>MaxAuthTries 3\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Faster attacker lockouts<\/li>\n\n\n\n<li>Reduced brute-force effectiveness<\/li>\n\n\n\n<li>Improved security posture<\/li>\n<\/ul>\n\n\n\n<p>Modern SSH configurations should avoid excessive authentication attempts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 8: Disable Unnecessary SSH Features<\/h2>\n\n\n\n<p>Many servers do not require all SSH capabilities. Disable unused features.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disable X11 Forwarding<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>X11Forwarding no\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Disable Agent Forwarding<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>AllowAgentForwarding no\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Disable TCP Forwarding<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>AllowTcpForwarding no\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced attack surface<\/li>\n\n\n\n<li>Fewer exploitation opportunities<\/li>\n\n\n\n<li>Simpler security management<\/li>\n<\/ul>\n\n\n\n<p>Only enable features that are genuinely required.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 9: Implement Firewall Restrictions<\/h2>\n\n\n\n<p>A <a href=\"https:\/\/ukspeed.co.uk\/blog\/ddos-protection-keep-website-online\/\">firewall<\/a> provides another layer of protection. Examples:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">UFW<\/h3>\n\n\n\n<p>Allow only trusted IP addresses:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ufw allow from YOUR-IP to any port 22022\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Restrict by Country or Network<\/h3>\n\n\n\n<p>Some organizations limit SSH access to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Office locations<\/li>\n\n\n\n<li>VPN networks<\/li>\n\n\n\n<li>Management IP ranges<\/li>\n<\/ul>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dramatically reduced exposure<\/li>\n\n\n\n<li>Protection from global scanning activity<\/li>\n<\/ul>\n\n\n\n<p>The most secure SSH service is one that most attackers cannot reach.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 10: Enable Two-Factor Authentication (2FA)<\/h2>\n\n\n\n<p>Two-factor authentication adds another security layer. Even if an attacker obtains:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH keys<\/li>\n\n\n\n<li>Credentials<\/li>\n\n\n\n<li>Access tokens<\/li>\n<\/ul>\n\n\n\n<p>they still require the second authentication factor. Popular implementations include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Authenticator<\/li>\n\n\n\n<li>Authy<\/li>\n\n\n\n<li>TOTP applications<\/li>\n<\/ul>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protection against credential compromise<\/li>\n\n\n\n<li>Improved account security<\/li>\n\n\n\n<li>Enhanced compliance readiness<\/li>\n<\/ul>\n\n\n\n<p>For high-value servers, 2FA is strongly recommended.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional SSH Hardening Techniques<\/h2>\n\n\n\n<p>Beyond the core ten steps, additional improvements can further strengthen security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Keep OpenSSH Updated<\/h3>\n\n\n\n<p>Outdated software may contain vulnerabilities. Regularly update:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update &amp;&amp; apt upgrade\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Use Modern Ciphers<\/h3>\n\n\n\n<p>Disable weak cryptographic algorithms. Prefer:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>chacha20-poly1305<\/li>\n\n\n\n<li>aes256-gcm<\/li>\n\n\n\n<li>strong key exchange methods<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitor Authentication Logs<\/h3>\n\n\n\n<p>Review:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/var\/log\/auth.log\n<\/code><\/pre>\n\n\n\n<p>Regular monitoring helps identify suspicious activity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use VPN-Based Management<\/h3>\n\n\n\n<p>Many organizations place SSH behind:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WireGuard<\/li>\n\n\n\n<li>OpenVPN<\/li>\n\n\n\n<li>Tailscale<\/li>\n<\/ul>\n\n\n\n<p>This significantly reduces public exposure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Idle Session Timeouts<\/h3>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ClientAliveInterval 300\nClientAliveCountMax 2\n<\/code><\/pre>\n\n\n\n<p>Benefits:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduced risk of abandoned sessions<\/li>\n\n\n\n<li>Improved account security<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Example Hardened SSH Configuration<\/h2>\n\n\n\n<p>A modern production configuration might include:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Port 22022\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nAllowUsers admin\nMaxAuthTries 3\nX11Forwarding no\nAllowTcpForwarding no\nClientAliveInterval 300\nClientAliveCountMax 2\n<\/code><\/pre>\n\n\n\n<p>Combined with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fail2Ban<\/li>\n\n\n\n<li>Firewall restrictions<\/li>\n\n\n\n<li>SSH keys<\/li>\n\n\n\n<li>Two-factor authentication<\/li>\n<\/ul>\n\n\n\n<p>this creates a significantly stronger security posture.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Common SSH Security Mistakes<\/h2>\n\n\n\n<p>Many administrators unintentionally weaken server security. Examples include:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using Password Authentication<\/h3>\n\n\n\n<p>Still one of the largest attack vectors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Allowing Root Login<\/h3>\n\n\n\n<p>Unnecessary and risky.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ignoring Updates<\/h3>\n\n\n\n<p>Leaves systems vulnerable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reusing SSH Keys<\/h3>\n\n\n\n<p>Compromised keys may affect multiple systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Exposing SSH to the Entire Internet<\/h3>\n\n\n\n<p>Restrict access whenever possible.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Assuming Port Changes Are Enough<\/h3>\n\n\n\n<p>Security through obscurity alone is ineffective.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SSH Hardening for VPS Hosting Providers<\/h2>\n\n\n\n<p>Hosting providers face additional challenges. A single compromised VPS can be used for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Spam campaigns<\/li>\n\n\n\n<li>Botnet activity<\/li>\n\n\n\n<li>Cryptocurrency mining<\/li>\n\n\n\n<li>DDoS attacks<\/li>\n<\/ul>\n\n\n\n<p>Strong SSH security protects:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Customer environments<\/li>\n\n\n\n<li>Infrastructure reputation<\/li>\n\n\n\n<li>Network integrity<\/li>\n<\/ul>\n\n\n\n<p>This is why professional hosting providers often recommend advanced SSH hardening from day one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why SSH Security Impacts Website Availability<\/h2>\n\n\n\n<p>A compromised server can result in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Website outages<\/li>\n\n\n\n<li>Data theft<\/li>\n\n\n\n<li>Malware infections<\/li>\n\n\n\n<li>SEO penalties<\/li>\n\n\n\n<li>Reputation damage<\/li>\n<\/ul>\n\n\n\n<p>Preventing unauthorized SSH access is therefore essential for maintaining uptime and customer trust.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why UKSpeed Recommends SSH Hardening<\/h2>\n\n\n\n<p>At UKSpeed, security forms a critical part of VPS management best practices. Whether you&#8217;re running:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WordPress websites<\/li>\n\n\n\n<li>WooCommerce stores<\/li>\n\n\n\n<li>Development environments<\/li>\n\n\n\n<li>SaaS platforms<\/li>\n\n\n\n<li>Dedicated servers<\/li>\n<\/ul>\n\n\n\n<p>proper SSH hardening significantly reduces the likelihood of compromise. Combining:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSH keys<\/li>\n\n\n\n<li>Fail2Ban<\/li>\n\n\n\n<li>Firewall controls<\/li>\n\n\n\n<li>Two-factor authentication<\/li>\n\n\n\n<li>Modern OpenSSH configurations<\/li>\n<\/ul>\n\n\n\n<p>creates a robust security foundation for Linux servers in 2026.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Final Thoughts<\/h2>\n\n\n\n<p>Changing the default SSH port may reduce automated scanning, but it is only a small part of a complete security strategy. Modern Linux VPS security requires multiple layers of protection working together. By implementing SSH key authentication, disabling root access, limiting login attempts, restricting users, enabling Fail2Ban, deploying firewalls, and adopting two-factor authentication, administrators can dramatically reduce the risk of unauthorized access. As cyber threats continue evolving in 2026, SSH hardening remains one of the most valuable security investments any server owner can make. A properly secured SSH service not only protects your VPS but also helps safeguard your websites, applications, customers, and business reputation.<\/p>\n\n\n\n<div class=\"uks-auto-cta\"><h3>Looking for fast, secure hosting?<\/h3><p>Visit <a href=\"https:\/\/ukspeed.co.uk\">UK Speed<\/a> for cloud servers, VPS NVMe, and dedicated hosting tailored for performance.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Secure Shell (SSH) remains the primary method for managing Linux servers in 2026. Whether you&#8217;re running a WordPress website, VPS hosting platform, database server,\u2026<\/p>\n","protected":false},"author":3,"featured_media":2000,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[103],"tags":[302,146,300,190,303,301,173,128,47],"class_list":["post-1998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-firewall-security","tag-linux","tag-linux-security","tag-linux-vps","tag-openssh","tag-ssh-keys","tag-ssh-security","tag-uk-speed","tag-vps-hosting"],"_links":{"self":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1998"}],"version-history":[{"count":1,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1998\/revisions"}],"predecessor-version":[{"id":1999,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1998\/revisions\/1999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/media\/2000"}],"wp:attachment":[{"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ukspeed.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}