SSH is the primary remote access tool for Linux servers, yet many administrators leave it configured with default settings that expose unnecessary attack surface. Going beyond basic password authentication to implement a hardened SSH configuration is essential for any production server.
Key Hardening Measures
Disable root login entirely by setting PermitRootLogin to no in sshd_config. Require key-based authentication and disable password logins by setting PasswordAuthentication to no. Restrict SSH access to specific users or groups with the AllowUsers or AllowGroups directive to limit who can connect.
Change the default port from 22 to a non-standard port to reduce automated brute-force attempts. While this is not a security measure on its own, it significantly decreases log noise. Implement fail2ban or similar intrusion prevention to automatically block IP addresses after repeated failed login attempts.
Enable two-factor authentication using Google Authenticator PAM module for an additional layer of security. Configure idle timeout with ClientAliveInterval and ClientAliveCountMax to automatically disconnect inactive sessions. Regularly audit your authorized_keys files to remove stale or unauthorized public keys.