#1 sshd configuration hardening

The configuration file is usually located at: 

/etc/ssh/sshd_config

1) Change the SSH port from the default port 22 to a different one

# Change from default 22 to a different port
Port 12345

If you are behind a firewall/security group, remember to update them as well.

2) Disable the usage of weak ciphers

# Use strong ciphers
Ciphers aes256-cbc,aes256-ctr,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

3) Allow limited active client and sessions

MaxAuthTries 3
MaxSessions 2
ClientAliveCountMax 2

4) Disable password authentication (Use public key instead)

PubkeyAuthentication yes
PasswordAuthentication no

Please ensure you have a public key authentication setup and can successfully access it before disabling your password authentication.

5) Set log level to Verbose

LogLevel VERBOSE

6) Disable other known weaknesses

TCPKeepAlive no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

7) Restart ssh service

$ sudo service ssh restart

#2 Restrict inbound traffic to your SSH port

This can be done from your Firewall or security group configuration. For example, you can only allow inbound traffic from your company IP address.

#3 Enable fail2ban

1) Install fail2ban to minimise the repetitive trial-and-error attack to gain access to your server.

$ sudo apt install fail2ban

2) Check if it is installed successfully.

$ fail2ban-client --version

3) Update the configuration under the sshd session if needed. Example:

$ sudo pico /etc/fail2ban/jail.conf

bantime  = 1h
findtime = 15m
maxretry = 3

4) Restart the service.

$ sudo systemctl status fail2ban

5) The log is available at:

$ cat /var/log/fail2ban.log