Harden SSH Configuration
Change Default SSH Port:
Edit /etc/ssh/sshd_config and set Port 2222 (or another non-standard port). Restart SSH:
systemctl restart sshdDisable Root Login:
In /etc/ssh/sshd_config, set PermitRootLogin no.
Use Key-Based Authentication:
Generate SSH keys and disable password logins:
ssh-keygen -t ed25519Set PasswordAuthentication no in sshd_config.
Restrict Users:
Allow only specific users:
AllowUsers alice bobRate-Limit Connections:
Use iptables to limit attempts:
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --set --name SSHiptables -A INPUT -p tcp --dport 2222 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROPFirewall Configuration
Allow Trusted IPs Only (UFW):
ufw allow from 192.168.1.0/24 to any port 2222ufw enableInstall Fail2Ban
Install and configure to monitor SSH logs:
apt install fail2banEdit /etc/fail2ban/jail.local:
[sshd]enabled = trueport = 2222maxretry = 3bantime = 1hAfter Changes:
systemctl reload sshd