SingleJump

How to Secure SSH Access on a Linux Server (Ubuntu & Red Hat)

Posted by on | Featured | No Comments

This guide explains how to secure SSH access on Linux servers (Ubuntu, Debian, Red Hat, CentOS, Alma Linux, and Rocky Linux) by reducing public exposure, disabling password authentication, enforcing SSH key-based access, and validating security using an external SSH exposure scanning tool.

Exposing SSH directly to the public internet is one of the most common and dangerous Linux server misconfigurations.

Automated brute-force attacks, credential stuffing, and internet-wide scanners continuously search for publicly accessible SSH ports. Any server exposing SSH without proper restrictions becomes an easy target.

In this guide, you will learn how to properly harden SSH on Linux servers by:

  • Checking whether your SSH port is publicly exposed
  • Restricting SSH access using a firewall
  • Disabling password-based authentication
  • Enforcing SSH key-only access
  • Changing the default SSH port
  • Applying all steps on Ubuntu/Debian and Red Hat–based distributions

Step 1: Check if your SSH port is publicly exposed

Before making any configuration changes, you should verify whether your server is currently exposing SSH to the public internet.

You can perform this verification using an external SSH exposure scanner such as the free tool provided by SingleJump:

👉 https://www.singlejump.com/tools/

Enter your server’s public IP address and the tool will report whether port 22 (or any custom SSH port) is reachable from the internet.

If SSH is accessible from anywhere, this indicates unnecessary exposure and represents a significant security risk.

 

Step 2: Enable a firewall and restrict SSH access

The objective of this step is simple and critical:

Allow SSH connections only from trusted IP addresses and block all other incoming SSH traffic.

Ubuntu / Debian — Using UFW

Ubuntu / Debian (UFW)
# Enable the firewall
sudo ufw enable

# Allow SSH ONLY from a trusted IP address
sudo ufw allow from 203.0.113.10 to any port 22 proto tcp

# (Optional) Allow SSH from additional trusted IPs
sudo ufw allow from 198.51.100.25 to any port 22 proto tcp

# Deny all other incoming traffic by default
sudo ufw default deny incoming

# Verify firewall rules
sudo ufw status verbose

Replace 203.0.113.10 with your actual public IP address.

Red Hat / CentOS / Alma / Rocky — Using firewalld

RHEL / CentOS / Alma / Rocky (firewalld)
# Enable and start firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld

# Allow SSH only from a trusted IP address
sudo firewall-cmd --permanent \
  --add-rich-rule='rule family="ipv4" source address="203.0.113.10" port protocol="tcp" port="22" accept'

# Reload firewall rules
sudo firewall-cmd --reload

# Verify active rules
sudo firewall-cmd --list-all
 

Step 3: Create an SSH key pair on the client machine

Password-based authentication should never be used on production servers. SSH keys provide significantly stronger security and are resistant to brute-force attacks.

On your local machine, generate a modern SSH key pair:

Generate an SSH key (recommended: ed25519)
ssh-keygen -t ed25519 -C "my-secure-key"

Always protect your private key with a strong passphrase.

Step 4: Install the public SSH key on the server

Automatic method (recommended)

Install the public key automatically
ssh-copy-id user@your-server-ip

Manual method

Manual authorized_keys setup (server side)
# Create SSH directory if it does not exist
mkdir -p ~/.ssh

# Secure directory permissions
chmod 700 ~/.ssh

# Edit authorized_keys file
nano ~/.ssh/authorized_keys

# Secure file permissions
chmod 600 ~/.ssh/authorized_keys

Paste the public key (id_ed25519.pub) into the authorized_keys file.

Verify that SSH key-based authentication works before continuing.

 

Step 5: Disable password authentication in SSH

Once SSH key authentication is confirmed, password-based logins should be fully disabled to eliminate credential-based attacks.

Edit the SSH daemon configuration file:

Edit sshd configuration
sudo nano /etc/ssh/sshd_config

Ensure the following settings are present:

Harden SSH authentication settings
# Disable password authentication
PasswordAuthentication no

# Enable public key authentication
PubkeyAuthentication yes

Restart the SSH service

Restart SSH
sudo systemctl restart sshd

⚠️ Do not close your current SSH session until you have verified that key-based access works correctly.

 

Step 6: Change the default SSH port

Changing the default SSH port does not replace proper authentication or firewall rules, but it significantly reduces noise from automated bots scanning port 22.

Change the SSH listening port
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Example custom port
Port 2222
Restart SSH after port change
sudo systemctl restart sshd

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>