SSH is the primary remote access method for Linux servers and is a common target for brute-force attacks. This guide walks through SSH hardening best practices on Ubuntu 24.04 LTS to significantly reduce your attack surface.
Tested and valid on:
- Ubuntu 24.04 LTS
Prerequisites
- Ubuntu 24.04 LTS server
- SSH key-based authentication already configured
- A user with sudo privileges
Step 1 – Back Up the SSH Config
Always back up before editing:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakStep 2 – Change the Default SSH Port
Using a non-standard port reduces noise from automated scanners:
sudo nano /etc/ssh/sshd_configChange or set:
Port 2222Step 3 – Disable Root Login
Prevent direct root login over SSH:
PermitRootLogin noStep 4 – Disable Password Authentication
Enforce SSH key-based auth only:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yesStep 5 – Limit SSH Access to Specific Users
Whitelist allowed users:
AllowUsers youruserStep 6 – Set Connection Timeouts
Disconnect idle sessions:
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30Step 7 – Disable Unused Features
Disable TCP forwarding and X11 forwarding if not needed:
AllowTcpForwarding no
X11Forwarding no
GatewayPorts noStep 8 – Restart SSH and Update Firewall
Apply changes and update UFW for the new port:
sudo systemctl restart sshd
sudo ufw allow 2222/tcp
sudo ufw deny 22/tcpTest your new connection in a separate terminal before closing the current session.
Conclusion
SSH is now hardened on Ubuntu 24.04 LTS. Disabling password authentication and root login eliminates the most common SSH attack vectors. Pair this with Fail2Ban for additional protection.
