Skip to content

SSH Hardening Guide

Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ Hardened


SSH is the primary remote access method. This guide covers the hardened configuration protecting against unauthorized access.


SettingValuePurpose
PermitRootLoginprohibit-passwordRoot via key only
PasswordAuthenticationnoKeys only, no passwords
MaxAuthTries3Limited login attempts
MaxSessions3Prevent session flooding
LoginGraceTime30sQuick timeout on failed auth
X11ForwardingnoDisable X11 (attack surface)
AllowTcpForwardingnoDisable port forwarding
AllowAgentForwardingnoDisable agent forwarding
LogLevelVERBOSEEnhanced logging
TypeAlgorithms
Cipherschacha20-poly1305, aes256-gcm, aes128-gcm
MACshmac-sha2-512-etm, hmac-sha2-256-etm
Key Exchangecurve25519-sha256

Key settings (defaults):

PubkeyAuthentication yes
PasswordAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
ClientAliveInterval 60
ClientAliveCountMax 3

Hardening Config: /etc/ssh/sshd_config.d/99-hardening.conf

Section titled “Hardening Config: /etc/ssh/sshd_config.d/99-hardening.conf”
Terminal window
# =============================================================================
# SSH Hardening Configuration - iSu Technologies
# Applied: 2026-02-09
# =============================================================================
# Authentication hardening
PermitRootLogin prohibit-password
MaxAuthTries 3
MaxSessions 3
LoginGraceTime 30
# Disable risky features
PermitEmptyPasswords no
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
# Connection limits
MaxStartups 3:50:10
# Logging - enhanced for security monitoring
LogLevel VERBOSE
# Crypto hardening - strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# Security banner
Banner /etc/issue.net
***************************************************************************
AUTHORIZED ACCESS ONLY
***************************************************************************
This system is the property of iSu Technologies. Unauthorized access is
prohibited. All connections are logged and monitored. By accessing this
system, you consent to these terms. Violators will be prosecuted.
***************************************************************************

Terminal window
# Check SSH service
systemctl status sshd
# Test configuration (before restart)
sshd -t
# View active connections
ss -tnp | grep :22
# View auth log
tail -50 /var/log/auth.log
Terminal window
# Edit hardening config
nano /etc/ssh/sshd_config.d/99-hardening.conf
# Test configuration
sshd -t
# Apply changes (keep current session open!)
systemctl restart sshd
# Verify new session works before closing old one

Terminal window
# On your local machine, generate key (if needed)
ssh-keygen -t ed25519 -C "your_email@example.com"
# Copy to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub root@46.224.40.5
# Or manually add to server
echo "ssh-ed25519 AAAA... your_email" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Terminal window
# Check authorized keys
cat ~/.ssh/authorized_keys
# Set correct permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
# Remove old/unknown keys
nano ~/.ssh/authorized_keys

Terminal window
# Watch auth log live
tail -f /var/log/auth.log | grep -E "sshd|Accepted|Failed"
# Watch with color
tail -f /var/log/auth.log | grep --color -E "Accepted|Failed|Invalid|$"
Terminal window
# Successful logins today
grep "Accepted" /var/log/auth.log | grep "$(date +%b\ %d)"
# Failed attempts today
grep "Failed" /var/log/auth.log | grep "$(date +%b\ %d)"
# Invalid users (attackers probing)
grep "Invalid user" /var/log/auth.log | tail -20
# Last successful logins
last -20

Terminal window
# From another session on the server:
# 1. Check SSH is running
systemctl status sshd
# 2. Check configuration
sshd -t
# 3. Check firewall
ufw status | grep 22
# 4. Check fail2ban (you might be banned)
fail2ban-client status sshd | grep <YOUR_IP>
# 5. Unban yourself if needed
fail2ban-client set sshd unbanip <YOUR_IP>
Terminal window
# Test config syntax
sshd -t
# If errors, check the hardening file
cat /etc/ssh/sshd_config.d/99-hardening.conf
# Temporarily disable hardening to recover
mv /etc/ssh/sshd_config.d/99-hardening.conf /tmp/
systemctl restart sshd
# Fix the file and move it back

If locked out of SSH:

  1. Hetzner Console: Access via Hetzner Cloud Console (robot.hetzner.com)
  2. Recovery Mode: Boot into rescue system
  3. Emergency Contact: Hetzner support

  • Password authentication disabled
  • Root login restricted to key-only
  • Strong ciphers configured
  • MaxAuthTries ≤ 3
  • fail2ban protecting SSH
  • Security banner displayed
  • VERBOSE logging enabled
  • Unnecessary forwarding disabled


Last hardening: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)