Skip to main content

Configure SSH on a Linux VPS

SSH is the gateway to your server, and out-of-the-box, the default configuration is far from optimal. Root login enabled, password-only authentication, standard port — in short, everything a scanning bot looks for. Let's fix that.

The file we need is /etc/ssh/sshd_config. All the modifications below are made within this file.

sudo nano /etc/ssh/sshd_config
Keep an active session open

Before making any changes to this file, keep your current SSH session open and test your changes in a second terminal. If a modification locks you out, the already open session allows you to fix the issue without needing to use the web console.

Change the SSH Port

The default port 22 is the first thing all automated bots scan. Changing it won't make your server invulnerable, but it will eliminate 90% of unnecessary noise in your logs.

Port 2222

Choose a port above 1024, and note it somewhere — you'll need it for every connection.

warning

Remember to open this new port on your firewall (UFW, for example) before restarting SSH, otherwise you'll lock yourself out. We cover this in our article on UFW.

Disable Root Login

Once you have a non-root user with sudo privileges (see our dedicated article if you haven't done this yet), there is no reason to allow root to connect directly via SSH.

PermitRootLogin no

This is frankly one of the most impactful lines for security. An attacker will have to guess both a username and a password (or a key), rather than brute-forcing a root account whose name is known to everyone.

Switch to Key-Based Authentication

Even a strong password can be brute-forced. An SSH key is far more secure.

On your local machine (not the server), generate a key pair if you don't already have one:

ssh-keygen -t ed25519

Then copy the public key to the server:

ssh-copy-id -p 2222 john@your-ip

Once you've confirmed that key-based login works (test it before disabling anything), you can disable password authentication in sshd_config:

PasswordAuthentication no
Test before disabling

Never disable password authentication without first verifying, in a separate session, that key-based login works properly. Otherwise, you'll be back to using the web console.

Limit Login Attempts

Two useful settings to slow down brute-force attacks:

MaxAuthTries 3
LoginGraceTime 30

The first limits the number of attempts per connection, the second reduces the time allowed for authentication.

Restrict Access to Specific Users

If your VPS has only two or three accounts that need SSH access, it's best to specify them explicitly:

AllowUsers john marie

All other users will be denied at the SSH level, even if their accounts exist on the system.

Apply the Changes

Once you've made your modifications, verify that the configuration file has no syntax errors before restarting the service:

sudo sshd -t

If no errors are reported, you can restart SSH:

sudo systemctl restart sshd

Most importantly, keep your current session open while you verify that a new connection works with the new port and settings.

info

Remember to update your connection command with the new port: ssh -p 2222 john@your-ip.


Summary

Custom port, disabled root login, SSH key authentication — these are the four settings that do the heavy lifting to secure access to your VPS. Next, check out our article on UFW if you haven't already — the two work well together.

Questions?

Join us on Discord, and we'll help you out.