Login with your ssh key¶
Copy your public key to the server to allow login with private key.
$ ssh-copy-id <user>@<server>
Any time you modify sshd_config(5),
make sure to test the changes before you close the connection to your server.
You should reload the config with
systemctl reload sshd
and open a new SSH connection before doing anything else.
Disallow root login and force protocol version 2.
PermitRootLogin no Protocol 2
If you have copied your private key to the server, you can also disable password login:
You may also chose to restrict SSH access to certain users.
If your server is internet-facing, it could also be useful to change the SSH port. It won’t save you if your server is really targeted, but most bot scans will skip the port. Just pick any random port above between 1025 and 65535.
Don’t forget to allow that port in the firewall, otherwise you’ll be locked out of your server for good.
Run ssh-audit to check for other vulnerabilities and recommendations. Keep at it until it’s all green.
Adding the following to
sshd_config should be a good starting point:
KexAlgorithms email@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519 MACs firstname.lastname@example.org,email@example.com,firstname.lastname@example.org