SSH (Secure Shell) is the primary method to remotely manage a Linux VPS or VDS. Because SSH is a critical service, securing it is essential to prevent unauthorized access, brute-force attacks, or exploitation.
In this guide, we’ll walk through best practices for hardening SSH security — including IP restriction — so your server stays safe.
Backup your SSH config: Always back up your SSH configuration file (/etc/ssh/sshd_config) before changing anything.
Keep another terminal open: When editing SSH settings, leave one SSH session active in case you accidentally lock yourself out.
Test changes before applying permanently.
Have console access or recovery mode ready if your VPS provider offers it.
Attackers scan port 22 by default. Moving SSH to a different port reduces random scanning.
How to change the SSH port:
Open the SSH config:
sudo nano /etc/ssh/sshd_config
Find the line:
#Port 22
Uncomment and change it, for example:
Port 2222
Save the file and exit.
Restart SSH:
sudo systemctl restart sshd
Now SSH runs on a different port (e.g., 2222).
Important: Update your firewall (UFW, firewalld, etc.) to allow the new port.
Preventing direct root login forces users to log in with a regular user first, reducing risks.
How to disable root login:
Open the SSH config:
sudo nano /etc/ssh/sshd_config
Find the line:
PermitRootLogin yes
Change it to:
PermitRootLogin no
Save and exit.
Restart SSH:
sudo systemctl restart sshd
Now users must log in as a normal user and then use sudo for admin tasks.
SSH keys are much more secure than passwords.
How to set up SSH keys:
Generate a key pair on your local machine:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Upload your public key to the server:
ssh-copy-id username@your-server-ip
Or manually:
Copy the contents of ~/.ssh/id_rsa.pub from your local machine.
On the server, paste it into ~/.ssh/authorized_keys under your user account.
(Optional) Disable password authentication for better security:
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Set:
PasswordAuthentication no
Save and exit.
Restart SSH:
sudo systemctl restart sshd
Now only devices with the correct private key can access your server.
Control what connections reach your server.
Install and configure UFW:
sudo apt install ufwsudo ufw allow 2222/tcpsudo ufw enablesudo ufw status
Install and configure Firewalld:
sudo systemctl start firewalldsudo firewall-cmd --permanent --add-port=2222/tcpsudo firewall-cmd --reloadsudo firewall-cmd --list-all
You can allow only specific IP addresses to connect via SSH.
Using UFW:
sudo ufw allow from YOUR.IP.ADDRESS.HERE to any port 2222 proto tcpsudo ufw deny 2222/tcp
Using Firewalld:
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='YOUR.IP.ADDRESS.HERE' port protocol='tcp' port='2222' accept"sudo firewall-cmd --reload
Now only your trusted IP(s) can access SSH.
Edit /etc/hosts.allow:
sshd: YOUR.IP.ADDRESS.HERE
Edit /etc/hosts.deny:
sshd: ALL
Restrict SSH login by user and IP:
Edit the SSH config:
sudo nano /etc/ssh/sshd_config
Add:
AllowUsers username@YOUR.IP.ADDRESS.HERE
Or restrict by groups:
AllowGroups sshusers
Restart SSH to apply changes:
sudo systemctl restart sshd
Install Fail2Ban to automatically block IPs after failed login attempts:
sudo apt install fail2bansudo systemctl enable fail2bansudo systemctl start fail2ban
Enable Two-Factor Authentication (2FA) using tools like Google Authenticator or similar PAM modules.
Limit the number of authentication attempts:
Set MaxAuthTries 3 in /etc/ssh/sshd_config
Reduce the login grace time:
Set LoginGraceTime 30 in /etc/ssh/sshd_config
This closes the connection if authentication isn’t completed quickly.
| Task | Done? |
|---|---|
| Changed default SSH port | |
| Disabled root login | |
| Enabled SSH key authentication | |
| Set up firewall | |
| Restricted SSH access by IP | |
| Installed Fail2Ban (optional) |
| Action | Command |
|---|---|
| Edit SSH config | sudo nano /etc/ssh/sshd_config |
| Restart SSH | sudo systemctl restart sshd |
| UFW allow new SSH port | sudo ufw allow 2222/tcp |
| Firewalld allow new SSH port | sudo firewall-cmd --permanent --add-port=2222/tcp --reload |
| Copy SSH key to server | ssh-copy-id user@server_ip |
| Reload firewall configuration | sudo firewall-cmd --reload |
Always test new SSH settings in a second session before closing your main one.
Document your server IP restrictions so you don’t get locked out when your ISP changes your IP.
Use your VPS provider’s console or recovery mode access in case of accidental lockout.