Getting a new Virtual Private Server (VPS) is exciting. You have full control, fast performance, and a blank slate to build your projects. But with great power comes great responsibility. The moment your server goes online, it becomes a target.<\/p>\n\n\n\n
Hackers constantly scan the internet for vulnerable servers. They look for open doors. Secure Shell (SSH) is the main door to your server. If you leave it wide open with default settings, you are asking for trouble.<\/p>\n\n\n\n
You need to know how to harden SSH access on your VPS. You must disable root login, use key-based auth, and implement strict security rules. This guide will walk you through every step. We will keep it simple. We will use plain English. You do not need to be a security expert to follow along.<\/p>\n\n\n\n
By the end of this guide, you will have a rock-solid server. Let us secure your remote server access right now.<\/p>\n\n\n\n
Secure Shell, or SSH, is a network protocol. It gives you a secure way to access a computer over an unsecured network. It is the industry standard for managing remote servers.<\/p>\n\n\n\n
When you connect to your VPS, your computer talks to the server. They use encryption to scramble the data. This means anyone listening in cannot read your passwords or commands. You open your terminal, type a command, and log in.<\/p>\n\n\n\n
SSH uses a client-server model. Your computer runs the SSH client. Your VPS runs the SSH daemon (usually OpenSSH). They communicate over a specific port. By default, this is port 22.<\/p>\n\n\n\n
Even though SSH encrypts data, it is still vulnerable. Hackers use automated bots to scan IP addresses. When they find an open port 22, they start attacking.<\/p>\n\n\n\n
The most common threat is a brute-force attack. Bots try thousands of usernames and passwords every minute. They hope you used a weak password. Another risk is stolen credentials. If someone guesses your password, they own your server.<\/p>\n\n\n\n
Most hosting providers give you a server with default OpenSSH configuration. This setup allows password logins. It also allows the “root” user to log in directly.<\/p>\n\n\n\n
The root user has absolute power over the server. If a hacker gets your root password, they can destroy your data. They can use your server to send spam. They can host illegal files. Leaving default settings is a massive security risk. You need proper Linux server hardening<\/a>.<\/p>\n\n\n\n You might think your small website is not worth hacking. That is a dangerous mistake. Bots do not care who you are. They just want server resources.<\/p>\n\n\n\n When you harden SSH, you stop automated attacks. Bots rely on guessing passwords. If you turn off password authentication, the bots fail instantly. They cannot guess an SSH key. This simple change eliminates the risk of brute force attacks.<\/p>\n\n\n\n Security is all about layers. You want to make it as hard as possible for bad actors to get in. Hardening your SSH configuration adds multiple layers of defense. You control exactly who gets in and how they connect.<\/p>\n\n\n\n A hardened server gives you peace of mind. It protects your customer data. It ensures your websites stay online. Following VPS security best practices is mandatory for any serious project. It shows you care about your infrastructure.<\/p>\n\n\n\n The first rule of Linux security is simple. Never log in as root. You need to create a regular user account. We will give this user special privileges to run administrative commands only when needed. This is called user privilege separation.<\/p>\n\n\n\n Log in to your server as root for the last time. Open your terminal and connect to your VPS.<\/p>\n\n\n\n Now, type the following command to add a new user. Replace “username” with a name of your choice:<\/p>\n\n\n\n The system will ask you to create a password. Make it a strong, unique password. It will also ask for some personal details. You can just press Enter to skip those.<\/p>\n\n\n\n Your new user needs permission to run administrative commands. In Linux, we use a command called We need to add your new user to the sudo group. Run this command:<\/p>\n\n\n\n Now, your regular user can act as an administrator when required.<\/p>\n\n\n\n Before we move on, let us make sure this works. Open a new terminal window on your computer. Do not close the root window yet.<\/p>\n\n\n\n Try to log in with your new username:<\/p>\n\n\n\n Type the password you just created. If you log in successfully, test your sudo privileges. Type:<\/p>\n\n\n\n It will ask for your password again. If it lists the files, you did it right. You are ready for the next step.<\/p>\n\n\n\n Passwords are weak. People forget them. People reuse them. SSH key authentication setup solves this problem. It uses cryptography to verify your identity.<\/p>\n\n\n\n An SSH key pair consists of two long strings of characters. One is a public key. The other is a private key. You keep the private key on your computer. You put the public key on your server.<\/p>\n\n\n\n Open the terminal on your local computer. Do not do this on the VPS. Type this command to start RSA key generation:<\/p>\n\n\n\n Press Enter to save the key in the default location. The system will ask you for a passphrase. This adds an extra layer of security. Type a strong passphrase and press Enter.<\/p>\n\n\n\n Now you need to send the public key to your VPS. Linux makes this very easy. Run this command from your local computer:<\/p>\n\n\n\n Enter your user password when asked. The system will copy the public key to your server. It saves it in a special file called Let us test your new keys. Type the login command again:<\/p>\n\n\n\n This time, the server should not ask for your user password. Instead, it will ask for your SSH key passphrase. If you get in, your key-based authentication is working perfectly.<\/p>\n\n\n\n Now that you have a regular user with sudo access, root does not need SSH access. We must disable root login Linux server settings immediately. This stops hackers from guessing the root password.<\/p>\n\n\n\n You need to edit the main SSH config file. Log in to your VPS as your regular user. Open the file using a text editor like nano:<\/p>\n\n\n\n This file controls how SSH behaves.<\/p>\n\n\n\n Scroll through the file until you find a line that says:<\/p>\n\n\n\n Change the word “yes” to “no”. It should look exactly like this:<\/p>\n\n\n\n Save the file. In nano, you press The server needs to reload the configuration to apply the changes. Run this command:<\/p>\n\n\n\n Open a new terminal window. Try to log in as root. The server should reject your connection. Congratulations. You just blocked the most common attack path.<\/p>\n\n\n\n You are using SSH keys now. You do not need passwords to log in. Turning off password login is the ultimate way to prevent SSH brute force attacks.<\/p>\n\n\n\n As long as password login is enabled, bots will keep trying to guess them. Even if you use a strong password, the constant attacks waste your server resources. Disabling passwords makes your server invisible to these attacks.<\/p>\n\n\n\n Open the SSH configuration file again:<\/p>\n\n\n\n Find the line that says:<\/p>\n\n\n\n Change it to “no”:<\/p>\n\n\n\n Save the file and exit.<\/p>\n\n\n\n Before you restart the SSH service, double-check your SSH keys. Ensure you can log in without a password. If you disable passwords and your keys are broken, you will lock yourself out.<\/p>\n\n\n\n Once you are sure your keys work, restart the service:<\/p>\n\n\n\n Your server is now strictly using public key private key authentication.<\/p>\n\n\n\n Changing your SSH port will not stop a determined hacker. But it will stop lazy bots. This is called security by obscurity. It hides your front door.<\/p>\n\n\n\n Bots are programmed to scan the internet quickly. They look for port 22 because it is the default SSH port. If they do not see port 22, they usually move on to the next IP address.<\/p>\n\n\n\n Port 22 security risks are high simply because of its visibility.<\/p>\n\n\n\n You can pick almost any port number between 1024 and 65535. Make sure no other service is using it. Let us pick 2222 for this example.<\/p>\n\n\n\n Open the SSH config file:<\/p>\n\n\n\n Find the line that says:<\/p>\n\n\n\n Remove the hash symbol (#) and change the number:<\/p>\n\n\n\n Save and exit.<\/p>\n\n\n\n Before you restart SSH, you must tell your firewall to allow traffic on the new port. If you skip this, you will block yourself.<\/p>\n\n\n\n If you use UFW (Uncomplicated Firewall), run:<\/p>\n\n\n\n Now, restart SSH:<\/p>\n\n\n\n Next time you log in, you must specify the new port:<\/p>\n\n\n\n Even with keys and a custom port, bad actors might find your SSH service. You need an active defense system. Fail2Ban is the perfect tool for intrusion prevention.<\/p>\n\n\n\n Fail2Ban monitors your server log files. It looks for repeated failed login attempts. When an IP address fails too many times, Fail2Ban blocks it automatically.<\/p>\n\n\n\n Install it by running:<\/p>\n\n\n\n Fail2Ban works right out of the box for SSH. But you should create a local configuration file to make adjustments.<\/p>\n\n\n\n Open the new file:<\/p>\n\n\n\n Find the Fail2Ban runs quietly in the background. If you want to see who it has blocked, run this command:<\/p>\n\n\n\n You will see a list of banned IP addresses. It feels great to know your server is fighting back.<\/p>\n\n\n\n A firewall acts as a security guard for your server. It controls all incoming and outgoing traffic. Setting up proper firewall rules is a crucial part of server hardening.<\/p>\n\n\n\n If you only work from one location, like an office, you have a static IP address. You can configure your firewall to only allow SSH connections from that specific IP.<\/p>\n\n\n\n This makes your server invisible to everyone else.<\/p>\n\n\n\n If you travel a lot, you cannot restrict access to one IP. Instead, you can limit the connection rate. UFW allows you to rate-limit connections.<\/p>\n\n\n\n If someone tries to connect more than six times in 30 seconds, UFW drops the connection. Run this command:<\/p>\n\n\n\n UFW is highly recommended for beginners. It is simple to use. To enable it, you must allow your SSH port first:<\/p>\n\n\n\n Then enable the firewall:<\/p>\n\n\n\n Always verify your firewall status:<\/p>\n\n\n\n Your server is now secured behind a robust firewall.<\/p>\n\n\n\n Security is strict. One small mistake can cause major headaches. Here are a few things to watch out for when configuring secure remote server access.<\/p>\n\n\n\n This is the biggest fear for server admins. If you disable passwords before testing your SSH keys, you will get locked out. Always keep a root session open in a separate window while making changes. Test your new setup in a different window.<\/p>\n\n\n\n SSH is very picky about file permissions. If your key files are open to other users, SSH will reject them.<\/p>\n\n\n\n Your What happens if you lose your private SSH key? If password login is disabled, you cannot get in. Always back up your private key to a secure location. Many hosting providers offer a web-based console. Check if your provider has this feature. It allows you to log in even if SSH is broken.<\/p>\n\n\n\n When you follow a Linux SSH hardening guide, you need a reliable foundation. Your hosting provider plays a big role in your security. SkyNetHosting.Net Inc.<\/a> offers robust solutions for all your hosting needs.<\/p>\n\n\n\n SkyNetHosting builds servers with security in mind. Their infrastructure uses the latest CloudLinux and LiteSpeed technologies. This ensures your server is fast and isolated from bad actors. Whether you choose a USA Reseller Hosting<\/a> plan or a dedicated VPS, security is a priority.<\/p>\n\n\n\n Security can sometimes slow things down. But with NVMe Storage<\/a>, you get lightning-fast speeds. These drives are 900% faster than traditional SATA drives. You can run intense security scripts without noticing a performance drop. You can even resell VPS and servers<\/a> to your own clients with confidence.<\/p>\n\n\n\n If you ever lock yourself out, you are not alone. SkyNetHosting offers 24\/7 End-User Support<\/a>. Their team of expert technicians monitors data centers constantly. They provide regular backups to keep your data safe. If you run a hosting business using WHMCS<\/a>, you know how valuable good support is. You can even offer Premium MailChannels Email<\/a> to ensure your client communications remain spam-free.<\/p>\n\n\n\nWhy You Should Harden SSH Access Immediately<\/h2>\n\n\n\n
Brute-force attack prevention<\/h3>\n\n\n\n
Reducing unauthorized access risk<\/h3>\n\n\n\n
Improving server security posture<\/h3>\n\n\n\n
Step 1: Create a Non-Root User on Your VPS<\/h2>\n\n\n\n
Adding a new user<\/h3>\n\n\n\n
adduser username<\/code><\/p>\n\n\n\nGranting sudo privileges<\/h3>\n\n\n\n
sudo<\/code> for this.<\/p>\n\n\n\nusermod -aG sudo username<\/code><\/p>\n\n\n\nTesting access<\/h3>\n\n\n\n
ssh username@your_server_ip<\/code><\/p>\n\n\n\nsudo ls \/root<\/code><\/p>\n\n\n\nStep 2: Set Up SSH Key-Based Authentication<\/h2>\n\n\n\n
Generating SSH keys<\/h3>\n\n\n\n
ssh-keygen -t rsa -b 4096<\/code><\/p>\n\n\n\nUploading public key to server<\/h3>\n\n\n\n
ssh-copy-id username@your_server_ip<\/code><\/p>\n\n\n\nauthorized_keys<\/code>.<\/p>\n\n\n\nTesting key-based login<\/h3>\n\n\n\n
ssh username@your_server_ip<\/code><\/p>\n\n\n\nStep 3: Disable Root Login via SSH<\/h2>\n\n\n\n
Editing SSH configuration file<\/h3>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code><\/p>\n\n\n\nApplying secure settings<\/h3>\n\n\n\n
PermitRootLogin yes<\/code><\/p>\n\n\n\nPermitRootLogin no<\/code><\/p>\n\n\n\nCtrl + O<\/code>, hit Enter, then press Ctrl + X<\/code> to exit.<\/p>\n\n\n\nRestarting SSH service<\/h3>\n\n\n\n
sudo systemctl restart ssh<\/code><\/p>\n\n\n\nStep 4: Disable Password Authentication (Optional but Recommended)<\/h2>\n\n\n\n
Why password login is risky<\/h3>\n\n\n\n
Switching fully to SSH keys<\/h3>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code><\/p>\n\n\n\nPasswordAuthentication yes<\/code><\/p>\n\n\n\nPasswordAuthentication no<\/code><\/p>\n\n\n\nSafe transition strategy<\/h3>\n\n\n\n
sudo systemctl restart ssh<\/code><\/p>\n\n\n\nStep 5: Change Default SSH Port (Security by Obscurity Layer)<\/h2>\n\n\n\n
Why port 22 is targeted<\/h3>\n\n\n\n
Choosing a new port<\/h3>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/code><\/p>\n\n\n\n#Port 22<\/code><\/p>\n\n\n\nPort 2222<\/code><\/p>\n\n\n\nUpdating firewall rules<\/h3>\n\n\n\n
sudo ufw allow 2222\/tcp<\/code><\/p>\n\n\n\nsudo systemctl restart ssh<\/code><\/p>\n\n\n\nssh -p 2222 username@your_server_ip<\/code><\/p>\n\n\n\nStep 6: Add Fail2Ban for Extra Protection<\/h2>\n\n\n\n
Blocking brute-force attempts<\/h3>\n\n\n\n
sudo apt install fail2ban<\/code><\/p>\n\n\n\nConfiguring ban rules<\/h3>\n\n\n\n
sudo cp \/etc\/fail2ban\/jail.conf \/etc\/fail2ban\/jail.local<\/code><\/p>\n\n\n\nsudo nano \/etc\/fail2ban\/jail.local<\/code><\/p>\n\n\n\n[sshd]<\/code> section. Make sure it is enabled. If you changed your SSH port, update the port setting here too. You can set the bantime<\/code> to decide how long to block attackers.<\/p>\n\n\n\nMonitoring failed logins<\/h3>\n\n\n\n
sudo fail2ban-client status sshd<\/code><\/p>\n\n\n\nStep 7: Configure Firewall Rules for SSH Security<\/h2>\n\n\n\n
Allowing only trusted IPs<\/h3>\n\n\n\n
Limiting access attempts<\/h3>\n\n\n\n
sudo ufw limit 2222\/tcp<\/code><\/p>\n\n\n\nUsing UFW or iptables<\/h3>\n\n\n\n
sudo ufw allow 2222\/tcp<\/code><\/p>\n\n\n\nsudo ufw enable<\/code><\/p>\n\n\n\nsudo ufw status<\/code><\/p>\n\n\n\nCommon Mistakes When Hardening SSH<\/h2>\n\n\n\n
Locking yourself out of server<\/h3>\n\n\n\n
Incorrect key permissions<\/h3>\n\n\n\n
~\/.ssh<\/code> directory should have 700 permissions. Your authorized_keys<\/code> file should have 600 permissions. Run these commands on your VPS to fix them:<\/p>\n\n\n\nchmod 700 ~\/.ssh<\/code>chmod 600 ~\/.ssh\/authorized_keys<\/code><\/p>\n\n\n\nDisabling access without backup plan<\/h3>\n\n\n\n
How Does SkyNetHosting.Net Inc. Support Secure VPS Environments?<\/h2>\n\n\n\n
Secure VPS infrastructure<\/h3>\n\n\n\n
High-performance server environments<\/h3>\n\n\n\n
Reliable access and monitoring support<\/h3>\n\n\n\n