Configuring the SSH Server
A practical guide to hardening sshd_config: disable root login, enforce key-only auth, restrict users, and tune the most important SSH server settings.
We covered what SSH is and how key pairs work. Now let’s configure the server itself. A default SSH installation is functional but not hardened — it accepts password logins, allows root access, and listens on the well-known port 22. Let’s fix that.
The file we’ll be editing: /etc/ssh/sshd_config
After making changes, always restart the SSH daemon:
sudo systemctl restart sshdPort
Port 2222Changing the default port from 22 doesn’t add real security, but it eliminates noise from automated bots that constantly scan port 22. Your logs will be dramatically cleaner.
AddressFamily
AddressFamily inetinet = IPv4 only. Use inet6 for IPv6 only, or any for both. If you’re not using IPv6, lock it to IPv4.
PermitRootLogin
PermitRootLogin noCritical. Never allow direct root login over SSH. Log in as a regular user and escalate with sudo when needed. This limits the blast radius of any compromise.
PubkeyAuthentication
PubkeyAuthentication yesEnables key-based authentication. This needs to be on if you followed part 2 of this series.
AuthorizedKeysFile
AuthorizedKeysFile .ssh/authorized_keysPath where the server looks for authorized public keys. The default is fine — just make sure the file exists and has correct permissions (chmod 600).
PasswordAuthentication
PasswordAuthentication noOnce your keys are working, disable password authentication entirely. This is the most important hardening step — it makes brute force attacks completely pointless.
AllowUsers
AllowUsers b4rt deployWhitelist specific users allowed to log in via SSH. Anyone not on this list is rejected even with valid credentials.
AllowGroups
AllowGroups sshusersAlternative to AllowUsers — restrict access to members of a specific group. Useful when you have multiple users to manage.
PermitEmptyPasswords
PermitEmptyPasswords noNever allow accounts with empty passwords to log in. Should always be no.
MaxAuthTries
MaxAuthTries 3Maximum authentication attempts per connection. After 3 failures the connection is dropped. Reduces effectiveness of brute force attacks.
UsePAM
UsePAM noWhen using key-based authentication, PAM (Pluggable Authentication Modules) isn’t needed. Disable it to simplify the authentication stack.
X11Forwarding
X11Forwarding noUnless you need to forward GUI applications over SSH (rare on servers), disable this. It’s an unnecessary attack surface.
UsePrivilegeSeparation
UsePrivilegeSeparation yesSplits the SSH daemon into privileged and unprivileged processes. The unprivileged process handles the network-facing work — if it’s compromised, it doesn’t have root access.
KexAlgorithms and Ciphers
For a modern hardened setup, restrict to strong algorithms only:
KexAlgorithms curve25519-sha256,diffie-hellman-group14-sha256
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-256,hmac-sha2-512This disables older, weaker algorithms that are still enabled by default in many distributions.
Final hardened sshd_config example
Port 2222
AddressFamily inet
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers b4rt
MaxAuthTries 3
UsePAM no
X11Forwarding no
UsePrivilegeSeparation yes
KexAlgorithms curve25519-sha256,diffie-hellman-group14-sha256
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.comTest the config before restarting:
sudo sshd -tIf no errors, apply it:
sudo systemctl restart sshdThat’s the SSH series. You now understand what SSH is, how key authentication works, and how to lock down the server itself.
Comments
Stay in the loop
New posts about Linux, debugging, and systems programming. No noise, no spam — just signal.