Subtotal
VAT (%)
total
open checkout
No items in the shopping cart.
Community
Articles
121
HostiServer
2026-01-15 13:14:00

SSH Security in 2026: Keys, Fail2Ban, Hardening — A Complete Guide

⏱️ Reading time: ~7 minutes | 📅 Published: January 15, 2026

SSH Security Is Still Critical in 2026

Let us explain why we're starting this article with these exact words: the average Linux server receives hundreds of SSH brute-force attempts daily. Not per week — daily. And during active attacks, that number can spike into the thousands.

If you've ever looked at /var/log/auth.log on a fresh VPS (Cloud), you know what we're talking about. Within hours of launch, your server is already under fire. Automated bots constantly scan IP ranges, looking for servers with weak passwords, default ports, and enabled root login. They don't need to be sophisticated — too many servers still operate with "door without a lock" level security.

Good news: SSH is one of the most secure protocols ever created.

Bad news: most people never configure it properly.

3D illustration of a server under a massive brute force attack

Password Authentication: Time to Move On

Let's be honest — passwords are convenient. You can remember them (sometimes), enter them from any device, and they don't require special setup. But in 2026, relying on password authentication for SSH is like securing a bank vault with a padlock.

The math is brutal. Even a "strong" 12-character password with mixed case, numbers, and symbols has about 72 bits of entropy. An SSH key? 4096 bits of cryptographic randomness. That's not just better — it's an entirely different universe of security.

How it happens: Brute-force attacks on SSH rarely "guess" passwords randomly. They typically use leaked password databases from other services. If your server password is even slightly similar to one you used for some forum or old account — it's already in the attacker's dictionary.

Beyond brute force, passwords have other issues: they can be phished, shoulder-surfed, accidentally committed to a git repository (yes, this happens constantly), or extracted from a poorly secured password manager. SSH keys eliminate almost all these attack vectors.

The Key Advantage

SSH key authentication works on a simple but elegant principle: your private key never leaves your machine. When you connect to a server, it challenges you — prove you have the private key that matches the public key on the server. This happens through cryptographic math — no secret is transmitted over the network.

Even if someone intercepts your entire SSH session, they can't extract the private key. Even if someone compromises the server and steals the authorized_keys file — they still can't log in as you without the private key. That's the power of asymmetric cryptography.

Generating SSH Keys: How to Do It Right

Not all SSH keys are equal. In 2026, you have several options, and the choice matters more than it seems.

Algorithm Key Size Security Level Recommendation
RSA 4096 bits High Good for compatibility
Ed25519 256 bits* Excellent Recommended
ECDSA 256-521 bits Varies Better to avoid
DSA 1024 bits Obsolete Never use

*A 256-bit Ed25519 key provides security equivalent to ~3000-bit RSA thanks to elliptic curve efficiency.

Creating an Ed25519 Key (Recommended)

On your local machine (not the server), open a terminal and run:

ssh-keygen -t ed25519 -C "your_email@example.com"

You'll be asked for a file location and passphrase. Always use a strong passphrase. Yes, this means entering it every time you connect — but ssh-agent can securely cache it, and the passphrase provides critical protection if someone gets your private key file.

💡 Tip: Use a passphrase that's easy to type but hard to guess. A sentence works great: "My cat weighs 5 kg" becomes a memorable, fast-to-type passphrase that would take billions of years to brute force.

For Legacy Systems: RSA 4096

Some older systems don't support Ed25519. In such cases, use RSA with maximum key size:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

The -b 4096 parameter is critical. Default RSA keys are often 2048 bits — technically still secure but with less future margin. If you're creating keys today, there's no reason not to use 4096.

Deploying Keys to the Server

You've generated the keys. Now they need to be delivered to the server — specifically, the public key. The private key stays on your machine. Period.

The Easy Way: ssh-copy-id

If you can still log in with a password, this is the fastest method:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@your-server-ip

This command automatically creates the ~/.ssh directory on the server if needed, adds your public key to authorized_keys, and sets the correct permissions. Done.

Manual Method

Sometimes ssh-copy-id isn't available or you need more control. Here's the manual process:

# On local machine — display public key
cat ~/.ssh/id_ed25519.pub
# On server — create SSH directory and file
mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
# Paste public key, save, then set permissions
chmod 600 ~/.ssh/authorized_keys

🚨 Critical: Permissions matter. SSH will silently refuse to use key authentication if your ~/.ssh directory or files have incorrect permissions. Directory must be 700, authorized_keys must be 600. No exceptions.

Managing Multiple Keys

Experienced users often have different keys for different servers — one for work, one for personal projects, one for that side project that definitely won't become the main job. Managing this is easier than it seems.

Create ~/.ssh/config on your local machine:

Host work-server
    HostName 192.168.1.100
    User admin
    IdentityFile ~/.ssh/id_work_ed25519
Host personal-vps
    HostName 203.0.113.50
    User deploy
    IdentityFile ~/.ssh/id_personal_ed25519
    Port 2222

Now you can simply type ssh work-server instead of remembering IP addresses, usernames, and key locations.

Hardening SSH Configuration

Key authentication is a huge security improvement, but it's just the beginning. The SSH daemon itself has numerous settings that can dramatically increase your protection.

Edit /etc/ssh/sshd_config on the server. Here's what matters most:

Disable Root Login

PermitRootLogin no

This is non-negotiable. Even with key authentication, allowing direct root login is unnecessary risk. Create a regular user, add them to the sudo group, and connect as them. An attacker now needs to compromise two things: your SSH key and sudo password.

Disable Password Authentication

PasswordAuthentication no
PubkeyAuthentication yes

Once you've confirmed key authentication works — disable passwords completely. This single change eliminates 99% of automated attacks on your server. Bots can hammer your login all day — without a valid key, they're going nowhere.

⚠️ Before doing this: Make sure key authentication works! Test by opening a new terminal and connecting. Don't close your existing session until you verify you can get back in.

Change the Default Port

Port 2222

This is security through obscurity — it won't stop a determined attacker, but it eliminates noise from automated scanners bombarding port 22. Your auth.log will thank you. Pick any port above 1024 and below 65535.

Limit User Access

AllowUsers deploy admin
# or
AllowGroups sshusers

Whitelist who can connect via SSH. Even if an attacker somehow creates a user on the system, they can't SSH in unless they're on this list.

Protocol and Cipher Hardening

# Use only SSH protocol 2
Protocol 2
# Strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
# Strong key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# Strong MACs
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

These settings disable outdated, potentially vulnerable algorithms. The tradeoff is that very old SSH clients may not connect — but if something's running SSH from 2010, it has bigger problems.

Session Security

# Disconnect inactive sessions after 15 minutes
ClientAliveInterval 300
ClientAliveCountMax 3
# Limit authentication attempts
MaxAuthTries 3
# Disable empty passwords (obviously)
PermitEmptyPasswords no

After making changes, always test the configuration before restarting:

sudo sshd -t

If there are no errors, restart the SSH service:

sudo systemctl restart sshd

Beyond Basic Configuration

A hardened sshd_config is great, but defense in depth means adding more layers. Here are the most effective additional measures.

Fail2Ban: Your Automated Guard

Fail2Ban monitors logs and automatically bans IP addresses showing malicious behavior. For SSH, it tracks failed login attempts and blocks offenders.

sudo apt install fail2ban
sudo systemctl enable fail2ban

The default configuration is acceptable, but you can customize in /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This bans any IP with 3 failed attempts within 10 minutes for 1 hour. Yes, fairly aggressive, but automated attacks require an aggressive response.

Firewall Rules

Use UFW to restrict SSH access:

# Allow SSH only from your IP or range
sudo ufw allow from 192.168.1.0/24 to any port 2222
# Or if global access is needed
sudo ufw allow 2222/tcp
sudo ufw enable

If you have a static IP, restricting SSH access only to it is incredibly effective. Attackers can't even reach your SSH port.

Two-Factor Authentication

For maximum security, combine SSH keys with TOTP (Time-based One-Time Password):

sudo apt install libpam-google-authenticator

This adds a second factor — even if someone steals your private key and passphrase, they still need the code from your authenticator app.

SSH Jump Hosts (Bastion)

3D diagram of Jump Host architecture: secure access to the internal network through a gateway

In production environments, never expose SSH of critical servers directly to the internet. Use a bastion host — a hardened minimal server that serves as the single entry point to your network.

# In local ~/.ssh/config
Host production-db
    HostName 10.0.1.50
    User dbadmin
    ProxyJump bastion
Host bastion
    HostName 203.0.113.10
    User jump
    IdentityFile ~/.ssh/id_bastion

Now ssh production-db automatically connects through bastion. The database server's SSH port never needs public exposure.

SSH Security Monitoring

Security isn't a one-time setup but a continuous process. Here's how to track what's happening with SSH on your server.

Watch the Logs

Your auth.log tells the story of every authentication attempt:

# Recent failed attempts
grep "Failed password" /var/log/auth.log | tail -20
# Successful logins
grep "Accepted" /var/log/auth.log | tail -20
# Who's currently logged in
who
w

Track Key Usage

Add comments to authorized_keys entries for tracking:

ssh-ed25519 AAAAC3... laptop-2026
ssh-ed25519 AAAAC3... work-desktop
ssh-ed25519 AAAAC3... emergency-backup

Periodically review this file. If you see a key you don't recognize — that's a problem.

Set Up Alerts

For critical servers, configure alerts on successful logins. A simple approach using a PAM script:

# /etc/pam.d/sshd — add line
session optional pam_exec.so /usr/local/bin/ssh-login-alert.sh

The script can send email, Slack, or Telegram messages on each login. If you get an alert and it's not you logging in — you'll know immediately.

Common Mistakes to Avoid

Over years of working with servers, we've seen hundreds of SSH configurations. Some mistakes repeat so often they're worth addressing separately.

Mistake #1: Testing new configuration without a backup session

What happens: Admin edits sshd_config, restarts the SSH service, and suddenly realizes they can no longer connect. The existing session is already closed. No access.

Why it's dangerous: One typo in the configuration — and the server becomes inaccessible. Without physical access or a console from the hosting provider, the only option is system reinstallation.

Solution: Always keep at least two SSH sessions open when editing configuration. Make changes in one, test connection in the other. Close the first only after a successful test.

Mistake #2: Storing private keys without a passphrase

What happens: "Why bother with a passphrase, it's my personal laptop!" Then the laptop gets stolen, a backup drive is lost, or someone gains access to the filesystem through another vulnerability.

Why it's dangerous: A private key without a passphrase is like leaving apartment keys under the doormat. Whoever finds the file immediately has full access to all your servers.

Solution: Always set a passphrase when generating keys. To avoid entering it every time — use ssh-agent, which caches the decrypted key in memory for the session duration.

Mistake #3: One key for everything

What happens: The same key is used for work servers, personal projects, GitHub, and that VPS (Cloud) that was "temporarily" set up for testing three years ago.

Why it's dangerous: Compromising one server means compromising all of them. An attacker gains access to authorized_keys on the breached server and now knows where else that key works.

Solution: Create separate keys for different contexts: work, personal, critical infrastructure. Use ~/.ssh/config for convenient management. This way, compromising one key doesn't bring down everything else.

Mistake #4: Forgotten old keys in authorized_keys

What happens: Three years ago, you added a freelancer's key for one task. The project ended, the person left, but the key is still there. Plus the former colleague's key. And that "temporary" key from an unknown device.

Why it's dangerous: Every forgotten key is a potential entry point. People lose devices, their accounts get hacked, and your server remains vulnerable through a key everyone forgot about.

Solution: Audit authorized_keys at least quarterly. Add comments to keys (who, when, why). Remove everything no longer needed. If you don't recognize a key — delete it immediately.

Mistake #5: Disabling passwords before confirming keys work

What happens: Admin sets up key authentication, immediately disables PasswordAuthentication, restarts SSH — and discovers the key doesn't work for some reason. Permissions? Key format? Wrong path? It doesn't matter now because there's no access.

Why it's dangerous: Key authentication can fail for a dozen reasons: wrong chmod, key in the wrong file, typo in configuration. Disabling passwords before verification is playing roulette with access.

Solution: First set up keys. Then test connection with the key in a new session. Confirm everything works. Only then disable passwords. Order is critical.

🚀 Ready to Choose the Right Hosting?

Cloud (VPS) flexibility or dedicated server power — solutions that scale with your growth.

💻 Cloud (VPS) Hosting

  • From $19.95/month — Start small, scale instantly
  • KVM virtualization — Guaranteed resources without overselling
  • Instant upgrades — No downtime
  • 24/7 support — Response under 10 minutes

🖥️ Dedicated Servers

  • From $200/month — Modern configurations
  • Custom configurations — Intel or AMD, latest models
  • Multiple locations — EU + USA
  • 99.9% uptime — Reliability
  • DDoS protection — Included
  • Free migration — We'll help

💬 Not sure which option you need?
💬 Contact us — we'll help with everything!

Frequently Asked Questions

Can I use both password and key authentication simultaneously?

Yes, but you shouldn't. Enabled password authentication means attackers can still try brute force. The whole point of key authentication is that it's dramatically more secure — leaving passwords as a fallback undermines this. If you need emergency access, use your hosting provider's console.

What if I lose my private key?

If you lose access to the private key — you lose access to the server. There's no "password reset" here. That's why backups matter: store the private key in a secure location (encrypted, ideally in a password manager or secure vault). Some users create an "emergency" key pair stored separately for exactly such cases.

Is changing the SSH port really worth it?

It won't stop a targeted attack, but it dramatically reduces noise from automated scanners. Your logs become readable, and Fail2Ban has fewer events to process. It's 30 seconds of configuration for a noticeable quality-of-life improvement. Just don't forget to update firewall rules and document the new port.

Should I disable root login if I'm the only user?

Absolutely. Even solo administrators benefit from separation. If an attacker somehow gets your SSH key, they still need the sudo password for serious damage. It's also a good habit — someday you might add other users or move to a team environment.

How often should I rotate SSH keys?

There's no universal rule, but consider rotating annually or immediately if: a device with the key is lost or stolen, you leave a job or project, or you suspect any compromise. Ed25519 keys with a strong passphrase can safely serve for years under normal circumstances.

Share this article
     |    Copy link

Contents

Share this article

MANAGED VPS STARTING AT

$19 95 / mo
all plans

NEW INTEL XEON BASED SERVERS

$80 / mo
all servers

CDN STARTING AT

$0 / mo
all plans
Managed Dedicated Server Hosting and Managed VPS Services. Full support and server tuning for demanding web projects.
English
Choose your language
  • Česky
  • English
  • Українська
© 2011-2026 Copyright IT Services Company s.r.o. All Rights Reserved.
  • Česky
  • English
  • Українська
Payment Options
{ "message" : "C_MY_INFO:001: need auth", "status" : "ERROR" }

 

By using this website you consent to the use of cookies in accordance with our privacy and cookie policy.