Securing your Linux VPS is not just a recommendation—it’s a necessity. One of the most common attack vectors used by malicious actors is SSH (Secure Shell). Since SSH is the default method for remotely administering a VPS, hardening its access is a vital step toward building a robust and secure hosting environment. Whether you’re using a KVM VPS or an OpenVZ VPS, these SSH hardening methods apply across the board and will help reduce the risk of unauthorized access.
At Veeble, we provide secure and customizable VPS solutions built for performance and scalability. But no matter how secure the base is, it’s always crucial to configure the server properly once it’s deployed. Let’s explore how to harden SSH access on your Linux VPS to ensure that your infrastructure is protected from common threats.
Understanding SSH and Why It Needs Hardening
SSH is the protocol used to securely connect to your Linux VPS over an encrypted channel. By default, it listens on port 22 and accepts password-based authentication. Unfortunately, these default settings are widely known and frequently exploited by bots and hackers who attempt brute-force attacks to gain control over servers.
Hardening SSH access means making it more resistant to unauthorized login attempts while keeping it usable for legitimate administrators. This includes reconfiguring the port, disabling root login, setting up key-based authentication, and implementing intrusion prevention measures.
Change the Default SSH Port
Changing the default SSH port is one of the simplest ways to reduce exposure to automated bots scanning for port 22. By moving your SSH daemon to a non-standard port say, 2222 or 2244 you make it slightly harder for attackers to find an open door. While this is not a replacement for strong authentication, it effectively reduces noise in your logs from random bots.
To do this, edit your SSH configuration file (/etc/ssh/sshd_config) and modify the line:
Port 2222After saving the file, restart the SSH service and remember to allow the new port through your firewall (e.g., UFW, firewalld, or iptables). It’s a simple tweak, but part of a broader strategy to improve your VPS security posture.
Disable Root Login
The root user is the most powerful account on any Linux system. Allowing direct SSH login as root means that if someone guesses your password, they gain full control. Instead, it’s best practice to create a separate administrative user and give them sudo privileges.
In your SSH config file, locate the line:
PermitRootLogin noOnce this is set, only users with proper permissions can switch to root after logging in. This adds an extra layer of accountability and significantly lowers the risk of catastrophic system compromise.
Enable Key-Based Authentication
One of the most secure ways to access your VPS via SSH is by using public/private key authentication. Unlike passwords, which can be guessed or brute-forced, SSH keys are nearly impossible to crack using brute-force methods, especially when protected by a strong passphrase.
To set this up, generate a key pair on your local machine using:
ssh-keygen -t rsa -b 4096Then copy the public key to your VPS using ssh-copy-id or manually adding it to ~/.ssh/authorized_keys. Once key-based authentication is working, disable password authentication by editing your SSH config:
PasswordAuthentication noRemember to keep a backup of your private key, as losing it may lock you out of your VPS entirely.
Limit SSH Access by IP Address
For environments where you connect from a known location, like a corporate network or a VPN, it makes sense to restrict SSH access by IP. You can configure this in your firewall to only allow inbound connections from trusted IP addresses. In iptables, a simple rule might look like:
iptables -A INPUT -p tcp -s (your ip address) --dport 2222 -j ACCEPTThis adds a major layer of protection since even if someone tries to brute-force their way in, they won’t reach your server unless they’re connecting from an approved IP.
Use a Strong Firewall Policy
Firewalls like ufw or firewalld can help restrict unnecessary traffic from reaching your VPS. Start with a default-deny policy and allow only specific ports such as your SSH port and necessary services (HTTP, HTTPS, etc.).
For example, with UFW:
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw enableBy doing this, you ensure that only authorized traffic can interact with your server.
Implement Fail2Ban or SSHGuard
Intrusion prevention tools like Fail2Ban monitor log files and automatically ban IP addresses that show malicious signs—like repeated failed login attempts. These tools can be a lifesaver, especially for VPS users who might not have a dedicated security team.
Install and configure Fail2Ban with:
sudo apt install fail2banOnce installed, enable the SSH jail and set the desired ban time, retry limit, and action. This kind of proactive security helps protect your VPS around the clock.
Use Two-Factor Authentication (2FA) for SSH
For highly sensitive servers, consider adding two-factor authentication to SSH using tools like Google Authenticator or Duo. This ensures that even if a key or password is compromised, the attacker still cannot access your VPS without the second factor.
Keep SSH and OS Updated
Security isn’t just about configuration, it’s also about maintenance. Regularly update your Linux OS and SSH daemon to ensure you’re protected from known vulnerabilities. Apply patches as they become available, and subscribe to security mailing lists relevant to your Linux distribution.
At Veeble, our VPS hosting services—whether you are using KVM or OpenVZ—come with full root access and the flexibility to implement all these security measures. You can explore our KVM VPS plans designed for performance, scalability, and security-conscious professionals.
Final Thoughts
Securing your VPS starts with hardening your SSH access. Whether you’re on a KVM or OpenVZ platform, following these best practices ensures your server stays protected against brute-force attacks and unauthorized access. Use custom ports, disable root logins, implement key authentication, and layer on tools like firewalls and Fail2Ban to make your server truly resilient.
At Veeble, we empower you with robust VPS solutions and give you full control over your environment. If you’re looking for a secure, customizable, and high-performance Linux VPS, explore our hosting options and take the next step in your infrastructure journey.
