Hardening SSH on a fresh Ubuntu box
The five-minute baseline I apply to every new server before it goes anywhere near a network.
Every server I spin up gets the same treatment before it does anything useful. Defaults are convenient; they are not secure. Here is the SSH baseline I drop in first.
Drop a hardening file, don’t edit the main config
I never touch /etc/ssh/sshd_config directly — I add a drop-in so upgrades don’t clobber my changes:
# /etc/ssh/sshd_config.d/99-hardening.conf
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
X11Forwarding no
MaxAuthTries 3Then validate and reload:
sudo sshd -t && sudo systemctl reload sshWhy these four matter
- No root login — forces an audit trail through named accounts and
sudo. - Keys only — kills password brute-forcing outright. Make sure your key works before you disable passwords.
- No X11 forwarding — removes an attack surface you almost never use on a server.
- MaxAuthTries 3 — fewer free guesses per connection.
The golden rule: open a second SSH session to confirm you can still log in before you close the first one. Locking yourself out of a remote box is a rite of passage you only need once.
That’s it — a minute of work that closes the most common door. Next time I’ll cover putting the whole thing behind a firewall that only trusts your management subnet.