If you put a server on the public internet with port 22 open and password login enabled, you are going to get knocked on. Not maybe \u2014 guaranteed<\/em>. The bots find you within minutes, and they never sleep. The good news: locking SSH down properly takes about ten minutes and roughly six lines of config.<\/p>\n\n\n\n This is the same config I put on every Linux box I run \u2014 from a $5 VPS to the Proxmox cluster in my office. By the end of this post you’ll have key-only authentication, no root login, a non-default port, a whitelisted user group, fail2ban, and a workflow that won’t lock you out of your own server.<\/p>\n\n\n\n Passwords are the single biggest reason servers get popped. Even a 16-character password is brute-force-able if a bot has a year and you’re not rate-limiting. SSH keys aren’t \u2014 a 256-bit ed25519 key is, for practical purposes, uncrackable.<\/p>\n\n\n\n Generate one on your laptop<\/em> (not the server), then copy the public half up:<\/p>\n\n\n\n
\n\n\n\n\ud83d\udd10 Lock Down SSH in 10 Minutes: A Hardening Checklist<\/h1>\n\n\n\n
\ud83d\udccb Prerequisites<\/h2>\n\n\n\n
\n
sudo<\/code> rights. If you’ve been logging in as root, create one first (adduser christopher && usermod -aG sudo christopher<\/code>).<\/li>\n\n\n\n
\n\n\n\n\ud83d\udddd\ufe0f Step 1: Get on Keys, Get Off Passwords<\/h2>\n\n\n\n