When you first launch an Ubuntu server, cloud providers often give you a default Ubuntu user with SSH open on port 22. It’s convenient, but also predictable, and predictable accounts are prime targets for automated attacks.
In this Blog, we'll explore:
- Create a new admin user.
- Switch SSH to a non-default port.
- Enforce key-based login only.
- Restrict access to specific users.
- Delete default user
1. Create a New Admin User
We’ll replace the generic ubuntu account with our own, here called app.
# Create the user sudo adduser app # Add to the sudo (admin) group sudo usermod -aG sudo app
Copy your SSH public key into this account so you can log in without a password:
sudo mkdir -p /home/app/.ssh sudo cp /home/ubuntu/.ssh/authorized_keys /home/app/.ssh/ sudo chown -R app:app /home/app/.ssh sudo chmod 700 /home/app/.ssh sudo chmod 600 /home/app/.ssh/authorized_keys
2. Change the SSH Port
Most brute-force bots scan port 22. Moving SSH to a higher port won’t stop determined attackers, but it will reduce random noise in your logs.
Edit the SSH config:
sudo nano /etc/ssh/sshd_config # find port and set Port 2222
3. Harden SSH Settings
While still editing /etc/ssh/sshd_config, add or modify these lines:
PermitRootLogin no MaxAuthTries 3 MaxSessions 2 TCPKeepAlive no PasswordAuthentication no ClientAliveInterval 3000 ClientAliveCountMax 0 AllowUsers app
What these do:
- PermitRootLogin no - root login is forbidden.
- MaxAuthTries 3 - after 3 failed attempts, the connection drops.
- MaxSessions 2 - limits simultaneous open SSH sessions per connection.
- TCPKeepAlive no - avoids lingering TCP connections.
- PasswordAuthentication no - passwords disabled; only SSH keys work.
- ClientAliveInterval / ClientAliveCountMax - idle sessions get disconnected after ~50 minutes.
- AllowUsers app - only the app account can log in.
4. Install and Update the Firewall
First, install UFW if it’s not already present:
sudo apt update sudo apt install -y ufw # Set a default-deny policy and allow outgoing connections: sudo ufw default deny incoming sudo ufw default allow outgoing
Update Firewall Rules
# Allow new ssh port & remove old sudo ufw allow 2222/tcp sudo ufw delete allow 22/tcp # Allow HTTP and HTTPS traffic sudo ufw allow 80/tcp sudo ufw allow 443/tcp
Enable the firewall:
sudo ufw enable sudo ufw status verbose
Restart and Test
sudo sshd -t && sudo systemctl restart ssh # From another terminal: ssh -p 2222 app@your-server-ip
5. Retire the Default ubuntu User
Once the new account is confirmed working:
sudo deluser --remove-home ubuntu
(Alternatively, just lock it: sudo usermod --lock ubuntu)
Now Your Server:
- Runs SSH on port 2222 with key-only login.
- Only accepts logins from app.
- Blocks root login.
- Limits brute-force attempts.
- Has a firewall allowing only SSH (2222), HTTP (80), and HTTPS (443).
Top comments (0)