Configure SSH on a Linux VPS
SSH is the gateway to your server, and out-of-the-box, the default configuration is far from optimal. Root login enabled, password-only authentication, standard port — in short, everything a scanning bot looks for. Let's fix that.
The file we need is /etc/ssh/sshd_config. All the modifications below are made within this file.
sudo nano /etc/ssh/sshd_config
Before making any changes to this file, keep your current SSH session open and test your changes in a second terminal. If a modification locks you out, the already open session allows you to fix the issue without needing to use the web console.
Change the SSH Port
The default port 22 is the first thing all automated bots scan. Changing it won't make your server invulnerable, but it will eliminate 90% of unnecessary noise in your logs.
Port 2222
Choose a port above 1024, and note it somewhere — you'll need it for every connection.
Remember to open this new port on your firewall (UFW, for example) before restarting SSH, otherwise you'll lock yourself out. We cover this in our article on UFW.
Disable Root Login
Once you have a non-root user with sudo privileges (see our dedicated article if you haven't done this yet), there is no reason to allow root to connect directly via SSH.
PermitRootLogin no
This is frankly one of the most impactful lines for security. An attacker will have to guess both a username and a password (or a key), rather than brute-forcing a root account whose name is known to everyone.
Switch to Key-Based Authentication
Even a strong password can be brute-forced. An SSH key is far more secure.
On your local machine (not the server), generate a key pair if you don't already have one:
ssh-keygen -t ed25519
Then copy the public key to the server:
ssh-copy-id -p 2222 john@your-ip
Once you've confirmed that key-based login works (test it before disabling anything), you can disable password
authentication in sshd_config:
PasswordAuthentication no
Never disable password authentication without first verifying, in a separate session, that key-based login works properly. Otherwise, you'll be back to using the web console.
Limit Login Attempts
Two useful settings to slow down brute-force attacks:
MaxAuthTries 3
LoginGraceTime 30
The first limits the number of attempts per connection, the second reduces the time allowed for authentication.
Restrict Access to Specific Users
If your VPS has only two or three accounts that need SSH access, it's best to specify them explicitly:
AllowUsers john marie
All other users will be denied at the SSH level, even if their accounts exist on the system.
Apply the Changes
Once you've made your modifications, verify that the configuration file has no syntax errors before restarting the service:
sudo sshd -t
If no errors are reported, you can restart SSH:
sudo systemctl restart sshd
Most importantly, keep your current session open while you verify that a new connection works with the new port and settings.
Remember to update your connection command with the new port: ssh -p 2222 john@your-ip.
Summary
Custom port, disabled root login, SSH key authentication — these are the four settings that do the heavy lifting to secure access to your VPS. Next, check out our article on UFW if you haven't already — the two work well together.
Join us on Discord, and we'll help you out.