Securing SSH Access on a New Server

The first thing to do when you set up a new server is to harden SSH access: disable root login, change the default port, restrict which users can connect, and enforce key-based authentication.

1. Create a new user

Login as root and create a new non-root user

adduser pippo
passwd pippo

2. Harden sshd_config

Locate and edit your SSH configuration file (usually /etc/ssh/sshd_config)

# Change the default port to reduce automated scanning noise
Port 22222

# Disable root login entirely
PermitRootLogin no

# Restrict which users can connect
# Only from a specific network:
# AllowUsers pippo@192.168.*.*
# From any network:
AllowUsers pippo

# Enforce key-based auth (disable password login)
PasswordAuthentication no
PubkeyAuthentication yes

# Disable empty passwords just in case
PermitEmptyPasswords no

# Disable PAM if you don't need it (optional but tightens control)
UsePAM no

3. Set up SSH key authentication

Before disabling password authentication, make sure you have key access set up, or you will lock yourself out.

On your local machine, generate an SSH key pair if you don’t have one:

ssh-keygen -t ed25519 -C "your_email@example.com"
# or RSA if ed25519 is not supported
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

This creates two files:

• ~/.ssh/id_ed25519 — your private key (never share this)
• ~/.ssh/id_ed25519.pub — your public key (this goes on the server)

Copy your public key to the server (while password auth is still on):

# On the server, as pippo:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your_public_key_content" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

The permissions on ~/.ssh (700) and authorized_keys (600) are critical — sshd will silently ignore the keys if they are too permissive.

Verify key login works before disabling passwords:

ssh -p 22222 -i ~/.ssh/id_ed25519 pippo@remotehost

Only after confirming key login works, set PasswordAuthentication no in sshd_config and restart sshd.

4. Verify the configuration

Test everything from a new shell (keep your current session open in case something goes wrong)

# Login with key auth
ssh -p 22222 pippo@remotehost
# Expected: success

# Try root login (should fail)
ssh -p 22222 root@remotehost
# Expected: Permission denied

# Try default port (should fail)
ssh pippo@remotehost
# Expected: Connection refused

# Try password login (should fail if PasswordAuthentication no)
ssh -p 22222 -o PasswordAuthentication=yes -o PubkeyAuthentication=no pippo@remotehost
# Expected: Permission denied

# You can also inspect the final resolved SSH configuration to double-check:
sshd -T

5. Restart the SSH service

# systemd-based (Ubuntu, Debian, modern CentOS/RHEL)
systemctl restart sshd

# older CentOS/RHEL
service sshd restart

Quick security checklist

• Root login disabled (PermitRootLogin no)
• Non-default port in use (Port 22222)
• Only specific users allowed (AllowUsers)
• Password authentication disabled (PasswordAuthentication no)
• Key pair uses a strong algorithm (ed25519 or rsa-4096)
• authorized_keys permissions are correct (600)
• ~/.ssh directory permissions are correct (700)