How to Secure SSH Port in Linux

Securing SSH access is crucial to prevent unauthorized access to your server. This guide covers how to secure the SSH port for both Ubuntu and AlmaLinux, highlighting any OS-specific commands where necessary.

1. Change the Default SSH Port

Changing the default port (22) helps reduce automated attacks.

Step:

Edit the SSH configuration file:

# sudo nano /etc/ssh/sshd_config

Find and change:

Port 22

To something like:

Port 24357

Use a port number between 1024 and 65535.

Restart SSH Service:

• Ubuntu

# sudo systemctl restart ssh

• AlmaLinux:

# sudo systemctl restart sshd

2. Update Firewall Rules

Ensure the new port is allowed before restarting the SSH service.

• Ubuntu (UFW):

# sudo ufw allow 24357/tcp
# sudo ufw enable

• AlmaLinux (firewalld):

# sudo firewall-cmd --permanent --add-port=24357/tcp
# sudo firewall-cmd --reload

3. Disable Root Login

Disabling root SSH login adds an extra layer of protection.

Edit SSH config:

# sudo nano /etc/ssh/sshd_config

Change or add:

PermitRootLogin no

Restart SSH.

4. Use SSH Key Authentication

SSH keys are more secure than password-based login.

Option A: Key Pair Generated while creating the VM.

While creating the virtual machine, choose the option to generate a new SSH key pair. A .pem file (e.g. MYSSHKey.pem) will be downloaded to your local machine.

Make sure the .pem file has the correct permission, or change it:

# chmod 400 MYSSHKey.pem

To login to your server using the key, go to the correct Directory where the key has been downloaded.

# cd Downloads/
# ssh -i MYSSHKey.pem root@your-server-ip -p 24357

Note: No password is needed when using a key-based login with a .pem file provided by the CloudPe.

Option B: Generate SSH Key Pair on Local Machine:

Run:

ssh-keygen -t rsa -b 4096

Your public key will be saved in ~/.ssh/id_rsa.pub and private key in ~/.ssh/id_rsa. Never share your private key.

Copy Public Key to Server:

Use ssh-copy-id (replace port, username, and IP):

ssh-copy-id -p 24357 root@your-server-ip

You will need to enter the user’s password during this step to copy the key.

Or manually copy the contents of ~/.ssh/id_rsa.pub into:

~/.ssh/authorized_keys

(on the server under the desired user’s home directory).

Set Proper Permissions:

# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/authorized_key

Disable Password Authentication:

Edit /etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Restart SSH Service.

5. Install and Configure Fail2Ban

Fail2Ban helps prevent brute-force attacks.

Install Fail2Ban:

• Ubuntu:

# sudo apt install fail2ban

• AlmaLinux:

# sudo dnf install epel-release -y
# sudo dnf install fail2ban -y

Enable and Start Service:

# sudo systemctl enable fail2ban --now

Basic Configuration (Optional):

Create or edit /etc/fail2ban/jail.local and enable the SSH jail.