In this guide, I will show you three easy methods to increase the security of your SSH server on Linux without any unnecessary steps. We will cover changing the listening port, configuring the firewall to restrict IP access, and installing Fail2Ban to stop brute force attacks.
The first step is to change the actual listening port for the SSH service from the default 22 to a custom port.
Log in to your server and switch to the root user. Open the SSH daemon configuration file using nano:
nano /etc/ssh/sshd_config
Locate the line that says Port 22. Change this to a custom number, such as 1337. Save the file (Ctrl+S) and exit (Ctrl+X).
To apply the changes, you can reload the daemon, but the easiest way is to simply reboot the machine.
reboot
Attempting to connect via the standard port will now result in "Connection refused". You must specify the new port using the -p flag:
ssh -p 1337 user@your-server-ip
The second method involves configuring the Uncomplicated Firewall (UFW) to only allow connections from specific IP addresses.
[Image of firewall packet filtering diagram]First, check the status of UFW. It is likely inactive by default. Before enabling it, we must add a rule to allow our specific client IP (e.g., 172.16.1.101) to connect to our new custom port.
ufw allow from 172.16.1.101 to any port 1337
To ensure security, we explicitly deny traffic from any other IP address to this port. Note that the more specific "allow" rule we just created will take precedence over this general "deny" rule.
ufw deny from any to any port 1337
Enable UFW to make the rules active. Confirm "yes" when warned that this may disrupt existing connections.
ufw enable
ufw status
If you attempt to connect from a different IP address now, the connection should fail, confirming the firewall is working.
The third method is to use a tool called Fail2Ban, which monitors logs and automatically bans IPs that show malicious signs, such as repeated failed login attempts.
Update your repositories and install the package:
apt update && apt upgrade -y
apt install fail2ban
Navigate to the Fail2Ban directory. It is best practice not to edit the jail.conf file directly, but to create a copy named jail.local.
cd /etc/fail2ban
cp jail.conf jail.local
nano jail.local
Scroll down to find the [sshd] section. You need to update the port to match your custom port (1337). For testing purposes, you can set maxretry to 1, meaning a single failed attempt will trigger a ban.
Start the service:
systemctl start fail2ban
If you intentionally type the wrong password, you will be locked out. You can verify the ban status on the server using the client tool:
fail2ban-client status sshd
To unban an IP address (or all IPs), use the following command:
fail2ban-client unban --all