SSH is the primary remote administration protocol for Linux servers. A default SSH configuration leaves many attack vectors open: root login, password authentication, and broad listening options. This guide hardens SSH on Ubuntu 26.04 LTS using key-based authentication, restricted access, and fail2ban.
Tested and valid on:
- Ubuntu 26.04 LTS
Prerequisites
- Ubuntu 26.04 LTS
- SSH access to the server
- An SSH key pair already generated on your workstation
Step 1 – Set Up SSH Key Authentication
On your workstation:
ssh-keygen -t ed25519 -C '[email protected]'
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ipVerify you can log in with the key before proceeding.
Step 2 – Harden /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_configApply these hardening settings:
Port 2222
AddressFamily inet
ListenAddress 0.0.0.0
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 20
X11Forwarding no
AllowUsers youruser
Banner /etc/ssh/bannerStep 3 – Create an SSH Login Banner
sudo nano /etc/ssh/bannerAdd a legal warning:
Authorised access only. This system is monitored.Step 4 – Restart SSH
Open a second terminal and keep the first session active as a fallback:
sudo systemctl restart ssh
sudo systemctl status sshStep 5 – Update UFW for New Port
sudo ufw allow 2222/tcp
sudo ufw deny 22/tcp
sudo ufw statusStep 6 – Install and Configure fail2ban
sudo apt install fail2ban -y
sudo nano /etc/fail2ban/jail.localAdd:
[sshd]
enabled = true
port = 2222
filter = sshd
maxretry = 3
bantime = 3600
findtime = 600sudo systemctl start fail2ban
sudo systemctl enable fail2banStep 7 – Monitor Failed Logins
sudo journalctl -u ssh --since '1 hour ago'
sudo fail2ban-client status sshdConclusion
SSH is hardened on Ubuntu 26.04 LTS. Key-based authentication, a non-standard port, fail2ban rate-limiting, and root login disabled provide a significantly stronger security posture.
