Secure SSH Harden the SSH daemon on your VPS: custom port, keys only, attempt limits, and disable root login. ~12 min read Intermediate #ssh #security #hardening #firewall Secure SSH OpenSSH is the main entry point to your HolyCloud Linux VPS. This guide applies recommended production settings: custom port, key authentication, no root login, and limited authentication failures. Prerequisites sudo or root on the VPS (dedicated user recommended — see « Create a sudo user ») SSH key already deployed for your admin user Two SSH sessions or HolyCloud console (VNC) as backup If you change the SSH port: open the new port in UFW or the HolyCloud panel firewall before reloading sshd Step 1: backup configuration sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%F) sudo sshd -t sshd -t validates syntax without restarting the service. Step 2: edit sshd_config sudo nano /etc/ssh/sshd_config Target settings (uncomment or add): Port 2222 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 | Directive | Role | |-----------|------| | Port | Reduces noise from automatic scans on port 22 (choose 1024–65535, e.g. 2222) | | PermitRootLogin no | Blocks direct root login | | PasswordAuthentication no | Forces SSH keys | | PubkeyAuthentication yes | Enables public key authentication | | MaxAuthTries 3 | Limits attempts per session | Optional but useful: AllowUsers admin Replace admin with your sudo user. Step 3: allow the new port (firewall) With UFW: sudo ufw allow 2222/tcp comment 'SSH custom' sudo ufw status numbered In the HolyCloud customer area, ensure no external network rule blocks this port. Step 4: apply and test sudo sshd -t && sudo systemctl reload sshd Without closing the old session, connect on the new port: ssh -p 2222 admin@VOTRE_IP_VPS Update ~/.ssh/config on your workstation: Host holycloud-vps HostName VOTRE_IP_VPS User admin Port 2222 IdentityFile ~/.ssh/id_ed25519 Step 5: remove the old port (optional) After validation: sudo ufw delete allow 22/tcp sudo ufw reload Verification sudo ss -tlnp | grep sshd grep -E '^(Port|PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|MaxAuthTries)' /etc/ssh/sshd_config Negative tests (from another machine): ssh root@IP and ssh -o PreferredAuthentications=password should fail. Check suspicious attempts: sudo journalctl -u ssh -n 30 --no-pager Need help? Locked out: use KVM/VNC from the customer area, restore sshd_config.bak and systemctl reload sshd Forgotten port: grep ^Port /etc/ssh/sshd_config via console Support: attach sshd -t output and the last 20 lines of journalctl -u ssh Continue reading Previous article Scheduled tasks with cron Read Next article Security audit with Lynis Read
FR