DEV Community

AJAYA SHRESTHA
AJAYA SHRESTHA

Posted on

Hardening SSH on Ubuntu: Custom Admin User and Locking Down Access

When you first launch an Ubuntu server, cloud providers often give you a default Ubuntu user with SSH open on port 22. It’s convenient, but also predictable, and predictable accounts are prime targets for automated attacks.

In this Blog, we'll explore:

  1. Create a new admin user.
  2. Switch SSH to a non-default port.
  3. Enforce key-based login only.
  4. Restrict access to specific users.
  5. Delete default user

1. Create a New Admin User

We’ll replace the generic ubuntu account with our own, here called app.

# Create the user sudo adduser app # Add to the sudo (admin) group sudo usermod -aG sudo app 
Enter fullscreen mode Exit fullscreen mode

Copy your SSH public key into this account so you can log in without a password:

sudo mkdir -p /home/app/.ssh sudo cp /home/ubuntu/.ssh/authorized_keys /home/app/.ssh/ sudo chown -R app:app /home/app/.ssh sudo chmod 700 /home/app/.ssh sudo chmod 600 /home/app/.ssh/authorized_keys 
Enter fullscreen mode Exit fullscreen mode

2. Change the SSH Port

Most brute-force bots scan port 22. Moving SSH to a higher port won’t stop determined attackers, but it will reduce random noise in your logs.
Edit the SSH config:

sudo nano /etc/ssh/sshd_config # find port and set Port 2222 
Enter fullscreen mode Exit fullscreen mode

3. Harden SSH Settings

While still editing /etc/ssh/sshd_config, add or modify these lines:

PermitRootLogin no MaxAuthTries 3 MaxSessions 2 TCPKeepAlive no PasswordAuthentication no ClientAliveInterval 3000 ClientAliveCountMax 0 AllowUsers app 
Enter fullscreen mode Exit fullscreen mode

What these do:

  • PermitRootLogin no - root login is forbidden.
  • MaxAuthTries 3 - after 3 failed attempts, the connection drops.
  • MaxSessions 2 - limits simultaneous open SSH sessions per connection.
  • TCPKeepAlive no - avoids lingering TCP connections.
  • PasswordAuthentication no - passwords disabled; only SSH keys work.
  • ClientAliveInterval / ClientAliveCountMax - idle sessions get disconnected after ~50 minutes.
  • AllowUsers app - only the app account can log in.

4. Install and Update the Firewall

First, install UFW if it’s not already present:

sudo apt update sudo apt install -y ufw # Set a default-deny policy and allow outgoing connections: sudo ufw default deny incoming sudo ufw default allow outgoing 
Enter fullscreen mode Exit fullscreen mode

Update Firewall Rules

# Allow new ssh port & remove old sudo ufw allow 2222/tcp sudo ufw delete allow 22/tcp # Allow HTTP and HTTPS traffic sudo ufw allow 80/tcp sudo ufw allow 443/tcp 
Enter fullscreen mode Exit fullscreen mode

Enable the firewall:

sudo ufw enable sudo ufw status verbose 
Enter fullscreen mode Exit fullscreen mode

Restart and Test

sudo sshd -t && sudo systemctl restart ssh # From another terminal: ssh -p 2222 app@your-server-ip 
Enter fullscreen mode Exit fullscreen mode

5. Retire the Default ubuntu User

Once the new account is confirmed working:

sudo deluser --remove-home ubuntu 
Enter fullscreen mode Exit fullscreen mode

(Alternatively, just lock it: sudo usermod --lock ubuntu)

Now Your Server:

  • Runs SSH on port 2222 with key-only login.
  • Only accepts logins from app.
  • Blocks root login.
  • Limits brute-force attempts.
  • Has a firewall allowing only SSH (2222), HTTP (80), and HTTPS (443).

Top comments (0)