DU
Digital Universe
Back to Blog
Security2025-02-287 min read

SSH Hardening: How to Secure Your VPS in 10 Minutes

Essential SSH security configuration for any VPS. Covers key-only auth, port changes, fail2ban, and the exact sshd_config settings you need.

Why SSH Hardening Is Non-Negotiable

Within minutes of your VPS going online, automated bots will begin probing port 22 with common usernames and passwords. Without hardening, it's only a matter of time before someone gets in.

Here's how to lock it down properly.

Step 1: Change the SSH Port

The default port 22 gets hammered. Moving to a non-standard port eliminates the vast majority of automated attacks.

sudo nano /etc/ssh/sshd_config

Find and change:

Port 2222
Choose a port above 1024 and below 65535. We use 2222 by convention, but any unused port works.

Step 2: Disable Root Login

PermitRootLogin no

This forces attackers to guess both a username and a key, rather than just targeting root.

Step 3: Disable Password Authentication

PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

With these settings, only users with a valid SSH key can connect. Password brute-forcing becomes impossible.

Step 4: Limit Login Attempts

MaxAuthTries 3
LoginGraceTime 30

Step 5: Restart SSH

sudo systemctl restart sshd
Critical: Before restarting, open a second terminal and verify you can still connect. If you lock yourself out, you'll need Hetzner's console access to recover.

Step 6: Install fail2ban

fail2ban monitors log files and bans IPs that show malicious activity.

sudo apt install fail2ban -y

Create a local config:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Key settings to adjust:

[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
findtime = 600

Step 7: Configure the Firewall

Using UFW (Uncomplicated Firewall):

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw enable

Verification

After applying all changes, verify:

# Check SSH is listening on new port
sudo ss -tlnp | grep ssh

# Check fail2ban is running
sudo fail2ban-client status sshd

# Check firewall status
sudo ufw status verbose

The Result

With these changes applied:

  • 99% of automated attacks are eliminated (port change)
  • Password brute-forcing is impossible (key-only auth)
  • Persistent attackers get auto-banned (fail2ban)
  • Only necessary ports are accessible (firewall)

This entire process takes about 10 minutes and is the single most important thing you can do for your server's security.

Want the complete security playbook? Our full guide includes additional hardening steps, intrusion detection, and monitoring configuration.

#ssh#security#hardening#vps#fail2ban

Want the Complete Setup Guide?

This blog post covers the basics. Our premium guide includes step-by-step commands, exact configurations, and the solutions to every gotcha we encountered.

Read Free GuideGet Full Access

Related Articles

Security

Hetzner Firewall Configuration: UFW & firewalld Guide

2025-02-05 · 8 min

Security

Free SSL Certificates on Hetzner with Let's Encrypt

2025-01-30 · 7 min