Harden SSH on Ubuntu 24.04: Disable Root, Use Key Auth, Restrict IPs

Harden SSH on Ubuntu 24.04

Learn how to harden SSH on Ubuntu 24.04. Disable root login, enforce SSH key authentication, and restrict IP access for maximum protection.

Table of Contents

🔈Introduction

Secure Shell (SSH) is the backbone of remote system management, but an exposed or misconfigured SSH service is a prime target for attackers. Ubuntu 24.04, as a modern Linux distribution, offers powerful features to harden SSH access, but the defaults may not be strict enough for production environments.

In this guide, you’ll learn how to disable root login, enforce SSH key authentication, and restrict access by IP to reduce your system’s attack surface significantly.

✅ Why SSH Hardening Matters

Even a freshly installed Ubuntu server can become a target within minutes of being online. Common SSH threats include:

ThreatDescription
Brute-force attacksAutomated attempts to guess credentials using known usernames.
Root login abuseIf root SSH is enabled, a successful login grants full system access.
Password crackingPassword-based logins are vulnerable to dictionary attacks.
Open accessUnrestricted IP access invites probing and exploitation.

📋 Prerequisites

Ensure you have:

  • ✅ A fresh or configured Ubuntu 24.04 LTS server.
  • ✅ Access via a non-root user with sudo privileges.
  • ✅ A backup SSH session in case changes prevent login.

🔄 Step 1: Disable Root SSH Login

Why: Prevent attackers from targeting the highly privileged root account directly.

🔹Open the SSH config file:

				
					sudo vim /etc/ssh/sshd_config

🔹Find or add the following line:

				
					PermitRootLogin no
🔒 Tip: Ensure this line is not commented out (#). If it doesn’t exist, add it manually.

🔹Restart SSH:

				
					sudo systemctl restart ssh
🧪 Test: Try to SSH into the server using the root account:
				
					ssh root@your-server-ip

You should receive a “Permission denied” message.

🔄 Step 2: Enforce SSH Key Authentication

Why: SSH keys are virtually impossible to brute-force and eliminate password-based login risks.

🔹Generate an SSH Key (on your client machine):

				
					ssh-keygen -t ed25519 -C "your_email@example.com"

Use a strong passphrase when prompted.

🔹Upload the public key to the server:

				
					ssh-copy-id username@your-server-ip

Alternatively, manually copy the key:

				
					cat ~/.ssh/id_ed25519.pub | ssh username@your-server-ip 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

🔹On the server, disable password authentication:

				
					sudo vim /etc/ssh/sshd_config

Set or update the following directives:

				
					PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

🔹Restart SSH:

				
					sudo systemctl restart ssh

🔹Test Your Login

Open a new terminal session and try logging in:

				
					ssh username@your-server-ip

If successful, try the same without your private key (rename it temporarily) to confirm password access is blocked:

				
					mv ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.bak
				
			
				
					ssh username@your-server-ip

You should see an authentication failure.

🔄 Step 3: Restrict SSH Access by IP

Why: Limiting IPs helps prevent unauthorized users from even reaching the login prompt. There are two common methods:

🔹Option 1: Use the UFW Firewall

				
					sudo ufw allow from YOUR.IP.ADDRESS to any port 22 && sudo ufw enable

Block all other SSH traffic:

				
					sudo ufw default deny incoming

🔹Option 2: Use /etc/hosts.allow and /etc/hosts.deny

Add allowed IPs:

				
					sudo vim /etc/hosts.allow

Replace with XXX.XXX.XX.XXX your IP address:

				
					sshd: XXX.XXX.XX.XXX

Deny all others:

				
					sudo vim /etc/hosts.deny

Add the following:

				
					sshd: ALL
MethodProsCons
UFWEasier to manage, logs blocked connectionsLess granular, needs firewall awareness
hosts.allowNative to SSH, doesn’t need firewall toolsCan be overridden by other access rules

🧱 Optional: Additional SSH Hardening Tips

🔹Use a Non-Standard Port

				
					sudo vim /etc/ssh/sshd_config

Change default port (22) entry:

				
					Port 2222

Update your firewall rules accordingly:

				
					sudo vim /etc/ssh/sshd_config
🛑 NOTE: This won’t stop serious attackers but can reduce noise in your logs.

🔹Limit User Logins

				
					AllowUsers username

🔹Enable Rate Limiting with fail2ban

Install fail2ban:

				
					sudo apt install fail2ban

Create or edit jail config:

				
					sudo vim /etc/fail2ban/jail.local

Example SSH section:

				
					[sshd]
enabled = true
port = ssh
maxretry = 3
findtime = 10m
bantime = 1h

Restart fail2ban:

				
					sudo systemctl restart fail2ban

🧰 Troubleshooting SSH Lockouts

🔹Common Fixes:

IssueFix
Locked out due to misconfigAccess via cloud provider console or local terminal
Wrong permissions on .ssh/Ensure ~/.ssh is 700 and authorized_keys is 600
UFW blocks your IPTemporarily disable: sudo ufw disable
Fail2ban blocks IPUnban IP: sudo fail2ban-client set sshd unbanip YOUR.IP.ADD.RESS

🏁 Conclusion

Hardening SSH on Ubuntu 24.04 should be a priority, not an afterthought. By disabling root login, enforcing key authentication, and restricting access by IP, you significantly reduce the risk of unauthorized access. Combined with firewall rules, rate limiting, and basic user access controls, your server will be far more resilient against attack.

Security is not a one-time task—monitor logs, update regularly, and review access policies periodically.

Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

📕 Related Posts
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *