How to Harden SSH Access on Your VPS: Disable Root Login, Use Key-Based Auth
Getting a new Virtual Private Server (VPS) is exciting. You have full control, fast performance, and a blank slate to build your projects. But with great power comes great responsibility. The moment your server goes online, it becomes a target.
Hackers constantly scan the internet for vulnerable servers. They look for open doors. Secure Shell (SSH) is the main door to your server. If you leave it wide open with default settings, you are asking for trouble.
You need to know how to harden SSH access on your VPS. You must disable root login, use key-based auth, and implement strict security rules. This guide will walk you through every step. We will keep it simple. We will use plain English. You do not need to be a security expert to follow along.
By the end of this guide, you will have a rock-solid server. Let us secure your remote server access right now.
What Is SSH and Why Is It a Security Risk?
Secure Shell, or SSH, is a network protocol. It gives you a secure way to access a computer over an unsecured network. It is the industry standard for managing remote servers.
How SSH access works
When you connect to your VPS, your computer talks to the server. They use encryption to scramble the data. This means anyone listening in cannot read your passwords or commands. You open your terminal, type a command, and log in.
SSH uses a client-server model. Your computer runs the SSH client. Your VPS runs the SSH daemon (usually OpenSSH). They communicate over a specific port. By default, this is port 22.
Common attack vectors
Even though SSH encrypts data, it is still vulnerable. Hackers use automated bots to scan IP addresses. When they find an open port 22, they start attacking.
The most common threat is a brute-force attack. Bots try thousands of usernames and passwords every minute. They hope you used a weak password. Another risk is stolen credentials. If someone guesses your password, they own your server.
Why default configurations are unsafe
Most hosting providers give you a server with default OpenSSH configuration. This setup allows password logins. It also allows the “root” user to log in directly.
The root user has absolute power over the server. If a hacker gets your root password, they can destroy your data. They can use your server to send spam. They can host illegal files. Leaving default settings is a massive security risk. You need proper Linux server hardening.
Why You Should Harden SSH Access Immediately
You might think your small website is not worth hacking. That is a dangerous mistake. Bots do not care who you are. They just want server resources.
Brute-force attack prevention
When you harden SSH, you stop automated attacks. Bots rely on guessing passwords. If you turn off password authentication, the bots fail instantly. They cannot guess an SSH key. This simple change eliminates the risk of brute force attacks.
Reducing unauthorized access risk
Security is all about layers. You want to make it as hard as possible for bad actors to get in. Hardening your SSH configuration adds multiple layers of defense. You control exactly who gets in and how they connect.
Improving server security posture
A hardened server gives you peace of mind. It protects your customer data. It ensures your websites stay online. Following VPS security best practices is mandatory for any serious project. It shows you care about your infrastructure.
Step 1: Create a Non-Root User on Your VPS
The first rule of Linux security is simple. Never log in as root. You need to create a regular user account. We will give this user special privileges to run administrative commands only when needed. This is called user privilege separation.
Adding a new user
Log in to your server as root for the last time. Open your terminal and connect to your VPS.
Now, type the following command to add a new user. Replace “username” with a name of your choice:
adduser username
The system will ask you to create a password. Make it a strong, unique password. It will also ask for some personal details. You can just press Enter to skip those.
Granting sudo privileges
Your new user needs permission to run administrative commands. In Linux, we use a command called sudo for this.
We need to add your new user to the sudo group. Run this command:
usermod -aG sudo username
Now, your regular user can act as an administrator when required.
Testing access
Before we move on, let us make sure this works. Open a new terminal window on your computer. Do not close the root window yet.
Try to log in with your new username:
ssh username@your_server_ip
Type the password you just created. If you log in successfully, test your sudo privileges. Type:
sudo ls /root
It will ask for your password again. If it lists the files, you did it right. You are ready for the next step.
Step 2: Set Up SSH Key-Based Authentication
Passwords are weak. People forget them. People reuse them. SSH key authentication setup solves this problem. It uses cryptography to verify your identity.
Generating SSH keys
An SSH key pair consists of two long strings of characters. One is a public key. The other is a private key. You keep the private key on your computer. You put the public key on your server.
Open the terminal on your local computer. Do not do this on the VPS. Type this command to start RSA key generation:
ssh-keygen -t rsa -b 4096
Press Enter to save the key in the default location. The system will ask you for a passphrase. This adds an extra layer of security. Type a strong passphrase and press Enter.
Uploading public key to server
Now you need to send the public key to your VPS. Linux makes this very easy. Run this command from your local computer:
ssh-copy-id username@your_server_ip
Enter your user password when asked. The system will copy the public key to your server. It saves it in a special file called authorized_keys.
Testing key-based login
Let us test your new keys. Type the login command again:
ssh username@your_server_ip
This time, the server should not ask for your user password. Instead, it will ask for your SSH key passphrase. If you get in, your key-based authentication is working perfectly.
Step 3: Disable Root Login via SSH
Now that you have a regular user with sudo access, root does not need SSH access. We must disable root login Linux server settings immediately. This stops hackers from guessing the root password.
Editing SSH configuration file
You need to edit the main SSH config file. Log in to your VPS as your regular user. Open the file using a text editor like nano:
sudo nano /etc/ssh/sshd_config
This file controls how SSH behaves.
Applying secure settings
Scroll through the file until you find a line that says:
PermitRootLogin yes
Change the word “yes” to “no”. It should look exactly like this:
PermitRootLogin no
Save the file. In nano, you press Ctrl + O, hit Enter, then press Ctrl + X to exit.
Restarting SSH service
The server needs to reload the configuration to apply the changes. Run this command:
sudo systemctl restart ssh
Open a new terminal window. Try to log in as root. The server should reject your connection. Congratulations. You just blocked the most common attack path.
Step 4: Disable Password Authentication (Optional but Recommended)
You are using SSH keys now. You do not need passwords to log in. Turning off password login is the ultimate way to prevent SSH brute force attacks.
Why password login is risky
As long as password login is enabled, bots will keep trying to guess them. Even if you use a strong password, the constant attacks waste your server resources. Disabling passwords makes your server invisible to these attacks.
Switching fully to SSH keys
Open the SSH configuration file again:
sudo nano /etc/ssh/sshd_config
Find the line that says:
PasswordAuthentication yes
Change it to “no”:
PasswordAuthentication no
Save the file and exit.
Safe transition strategy
Before you restart the SSH service, double-check your SSH keys. Ensure you can log in without a password. If you disable passwords and your keys are broken, you will lock yourself out.
Once you are sure your keys work, restart the service:
sudo systemctl restart ssh
Your server is now strictly using public key private key authentication.
Step 5: Change Default SSH Port (Security by Obscurity Layer)
Changing your SSH port will not stop a determined hacker. But it will stop lazy bots. This is called security by obscurity. It hides your front door.
Why port 22 is targeted
Bots are programmed to scan the internet quickly. They look for port 22 because it is the default SSH port. If they do not see port 22, they usually move on to the next IP address.
Port 22 security risks are high simply because of its visibility.
Choosing a new port
You can pick almost any port number between 1024 and 65535. Make sure no other service is using it. Let us pick 2222 for this example.
Open the SSH config file:
sudo nano /etc/ssh/sshd_config
Find the line that says:
#Port 22
Remove the hash symbol (#) and change the number:
Port 2222
Save and exit.
Updating firewall rules
Before you restart SSH, you must tell your firewall to allow traffic on the new port. If you skip this, you will block yourself.
If you use UFW (Uncomplicated Firewall), run:
sudo ufw allow 2222/tcp
Now, restart SSH:
sudo systemctl restart ssh
Next time you log in, you must specify the new port:
ssh -p 2222 username@your_server_ip
Step 6: Add Fail2Ban for Extra Protection
Even with keys and a custom port, bad actors might find your SSH service. You need an active defense system. Fail2Ban is the perfect tool for intrusion prevention.
Blocking brute-force attempts
Fail2Ban monitors your server log files. It looks for repeated failed login attempts. When an IP address fails too many times, Fail2Ban blocks it automatically.
Install it by running:
sudo apt install fail2ban
Configuring ban rules
Fail2Ban works right out of the box for SSH. But you should create a local configuration file to make adjustments.
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the new file:
sudo nano /etc/fail2ban/jail.local
Find the [sshd] section. Make sure it is enabled. If you changed your SSH port, update the port setting here too. You can set the bantime to decide how long to block attackers.
Monitoring failed logins
Fail2Ban runs quietly in the background. If you want to see who it has blocked, run this command:
sudo fail2ban-client status sshd
You will see a list of banned IP addresses. It feels great to know your server is fighting back.
Step 7: Configure Firewall Rules for SSH Security
A firewall acts as a security guard for your server. It controls all incoming and outgoing traffic. Setting up proper firewall rules is a crucial part of server hardening.
Allowing only trusted IPs
If you only work from one location, like an office, you have a static IP address. You can configure your firewall to only allow SSH connections from that specific IP.
This makes your server invisible to everyone else.
Limiting access attempts
If you travel a lot, you cannot restrict access to one IP. Instead, you can limit the connection rate. UFW allows you to rate-limit connections.
If someone tries to connect more than six times in 30 seconds, UFW drops the connection. Run this command:
sudo ufw limit 2222/tcp
Using UFW or iptables
UFW is highly recommended for beginners. It is simple to use. To enable it, you must allow your SSH port first:
sudo ufw allow 2222/tcp
Then enable the firewall:
sudo ufw enable
Always verify your firewall status:
sudo ufw status
Your server is now secured behind a robust firewall.
Common Mistakes When Hardening SSH
Security is strict. One small mistake can cause major headaches. Here are a few things to watch out for when configuring secure remote server access.
Locking yourself out of server
This is the biggest fear for server admins. If you disable passwords before testing your SSH keys, you will get locked out. Always keep a root session open in a separate window while making changes. Test your new setup in a different window.
Incorrect key permissions
SSH is very picky about file permissions. If your key files are open to other users, SSH will reject them.
Your ~/.ssh directory should have 700 permissions. Your authorized_keys file should have 600 permissions. Run these commands on your VPS to fix them:
chmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keys
Disabling access without backup plan
What happens if you lose your private SSH key? If password login is disabled, you cannot get in. Always back up your private key to a secure location. Many hosting providers offer a web-based console. Check if your provider has this feature. It allows you to log in even if SSH is broken.
How Does SkyNetHosting.Net Inc. Support Secure VPS Environments?
When you follow a Linux SSH hardening guide, you need a reliable foundation. Your hosting provider plays a big role in your security. SkyNetHosting.Net Inc. offers robust solutions for all your hosting needs.
Secure VPS infrastructure
SkyNetHosting builds servers with security in mind. Their infrastructure uses the latest CloudLinux and LiteSpeed technologies. This ensures your server is fast and isolated from bad actors. Whether you choose a USA Reseller Hosting plan or a dedicated VPS, security is a priority.
High-performance server environments
Security can sometimes slow things down. But with NVMe Storage, you get lightning-fast speeds. These drives are 900% faster than traditional SATA drives. You can run intense security scripts without noticing a performance drop. You can even resell VPS and servers to your own clients with confidence.
Reliable access and monitoring support
If you ever lock yourself out, you are not alone. SkyNetHosting offers 24/7 End-User Support. Their team of expert technicians monitors data centers constantly. They provide regular backups to keep your data safe. If you run a hosting business using WHMCS, you know how valuable good support is. You can even offer Premium MailChannels Email to ensure your client communications remain spam-free.
With over 20 years in business, SkyNetHosting.Net knows how to keep servers secure.
The Final Steps for a Rock-Solid VPS
We have covered a lot of ground today. You learned how to harden SSH access on your VPS. You now know how to disable root login safely.
SSH hardening is essential for every VPS owner
You cannot skip security. The internet is full of automated bots looking for easy targets. By following this SSH configuration security guide, you took control of your server. You closed the wide-open doors. You put up strong barriers.
Key-based authentication significantly improves security
Moving away from passwords is the smartest thing you can do. SSH keys are mathematically secure. They stop brute-force attacks dead in their tracks. When paired with Fail2Ban and custom firewall rules, your server becomes a fortress.
SkyNetHosting.net provides VPS infrastructure suitable for secure production deployments
Building a secure server is easier when you use premium hardware. Providers like SkyNetHosting.Net give you the tools you need to succeed. They offer free domain reseller accounts and top-tier customer service.
Take a moment to review your server settings. Test your SSH keys. Check your firewall rules. Security is an ongoing process. Keep your server updated. Stay alert. Enjoy the peace of mind that comes with a properly secured VPS.
