Disable root login

1. Create new user useradd -m username.
2. Set password passwd username.
3. Optional: Add user to sudoers usermod -aG sudo username.
4. Edit /etc/ssh/ssh_config or /etc/ssh/sshd_config and add:

# Authentication: PermitRootLogin no AllowUsers username 

Might need to look for other config files being included that might override this setting (grep -r "PermitRootLogin" /etc/ssh/).

Harden SSH

1. Disable empty password:

PermitEmptyPasswords no 

1. Limit the number of authentication tries per connection:

MaxAuthTries 3 

1. Changed to ssh version 2:

Include /etc/ssh/sshd_config.d/*.conf Protocol 2 

Disable plain text authentication

1. Connecting with SSH key:

UsePAM no PasswordAuthentication no 

ssh-keygen 

Restart SSH service

1. Restart ssh service sudo systemctl restart ssh or sudo systemctl restart sshd.

Prevent brute force attacks

1. Install fail2ban or sshguard to ban IPs that fail to authenticate after a certain number of attempts.

References

• 13 Ways to secure SSH server
• How To Set up SSH Keys on a Linux / Unix System
• sshd_config
• ssh_config
• ssh-keygen
• useradd
• passwd
• usermod
• fail2ban
• sshguard