Target Audience: Systems Administrators, DevOps Engineers, Security Professionals
Reference Framework: NIST SP 800-123 (Guide to General Server Security)

Secure Shell (SSH) is the primary administrative gateway to Linux infrastructure. Consequently, it remains the highest-priority target for automated brute-force attacks and credential stuffing. Hardening the SSH daemon (sshd) immediately eliminates the most common attack vectors, establishing a rigorous baseline for overall system integrity.

Part 1: Cryptographic Prerequisites & Key Management

Before modifying server configurations, password authentication must be replaced with robust asymmetric cryptography. This guide standardizes on Ed25519, a public-key algorithm offering superior security performance and resistance to side-channel attacks compared to legacy RSA.

Step 1: Generate an Ed25519 Key Pair

Execute this command on your local workstation to generate a high-entropy key pair:

ssh-keygen -t ed25519 -a 100 -C "admin_user@infrastructure"

• -t ed25519: Specifies the modern Edwards-curve Digital Signature Algorithm.
• -a 100: Increases the number of KDF (Key Derivation Function) rounds to resist offline brute-forcing of the passphrase.
• -C: Appends a descriptive comment to track ownership.

Security Control: Always apply a strong passphrase to the private key when prompted to encrypt it at rest on your workstation.

Step 2: Provision the Public Key to the Target Server

Export your local public key to the server’s authorized list. Run the following from your local terminal:

ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 22 admin_user@your_server_ip

(Replace -p 22 with your current SSH port if it has already been altered).

Part 2: Hardening /etc/ssh/sshd_config

Open the primary daemon configuration file with elevated privileges:

sudo nano /etc/ssh/sshd_config

Review, modify, or append the following configurations to enforce a zero-trust posture.

1. Authentication Control

Eliminate credential-based attack paths entirely by disabling password validation and preventing direct access to the administrative root account.

# Prevent authentication via standard passwords
PasswordAuthentication no

# Disable keyboard-interactive authentication (prevents password bypass)
ChallengeResponseAuthentication no

# Deny direct root login; administrators must escalate privileges via sudo
PermitRootLogin no

2. Network & Access Restriction

Minimize exposure to automated scanning tools and restrict network-level entry to pre-approved system users.

# Shift to a non-standard port to mitigate 99% of automated script noise
Port 2222

# Explicitly whitelist authorized system users (space-separated)
AllowUsers deploy_user admin_user

3. Session & Connection Limits

Mitigate Denial-of-Service (DoS) vectors and drop stale connections to limit the lifetime exposure of active sessions.

# Allow a maximum of 3 failed authentication attempts per connection
MaxAuthTries 3

# Reduce the window allowed for successful authentication to 30 seconds
LoginGraceTime 30

# Terminate connections if a client fails to respond to 2 consecutive keep-alive pings (5-minute interval)
ClientAliveInterval 300
ClientAliveCountMax 2

4. Feature Protocol Restrictions

Disable legacy protocol parameters and operational features that can be abused for lateral movement or data exfiltration.

# Force the exclusive use of SSH Protocol 2
Protocol 2

# Disable X11 graphical interface forwarding to prevent UI hijacking
X11Forwarding no

# Restrict port-forwarding vectors to limit unauthorized network tunneling
AllowAgentForwarding no
AllowTcpForwarding no

Part 3: Configuration Validation and Service Restart

Improper configuration can lock you out of remote infrastructure permanently. Execute compliance checks rigorously.

Step 1: Parse and Test Configuration Syntax

Run the daemon in test mode to validate that the changes to sshd_config contain no structural errors:

sudo sshd -t

If this command returns blank, your syntax is valid.

Step 2: Apply the Ruleset

Restart the SSH daemon to load the new security configurations:

sudo systemctl restart sshd

Step 3: CRITICAL – The Connection Safety Check

DO NOT close your current terminal session. If a configuration error occurred, terminating your current window will permanently lock you out of the machine.

Open a new, independent terminal window on your local machine and attempt to establish a connection using your key and the newly defined port:

ssh -i ~/.ssh/id_ed25519 -p 2222 admin_user@your_server_ip

Once you have successfully authenticated and spawned a shell in the new window, it is safe to close your historical session.

Compliance Reference

Framework Alignment: NIST Special Publication 800-123 Section 4.2 (Securing Operating System Services) and Section 4.4 (Configuring Secure Remote Administration).

Audit Frequency: Configurations and authorized_keys listings should be audited quarterly or managed via automated configuration management tools (e.g., Ansible, Puppet) to prevent configuration drift.