How to Harden Ssh on Ubuntu Server with Key-based Authentication and Fail2ban

Learning how to harden SSH on Ubuntu Server with key-based authentication and Fail2ban is essential for protecting your server from unauthorized access and brute force attacks. SSH hardening involves implementing multiple security layers that make it extremely difficult for attackers to gain access to your system. This comprehensive guide will walk you through the process of securing your Ubuntu server by disabling password authentication, configuring SSH keys, and implementing Fail2ban to automatically block suspicious IP addresses.

SSH is the primary method for remotely managing Linux servers, making it a prime target for attackers. Default SSH configurations often leave servers vulnerable to various attack vectors, including password brute force attempts and unauthorized access. By implementing proper SSH hardening techniques, you’ll significantly reduce your server’s attack surface and protect sensitive data.

This tutorial covers three critical security measures: configuring SSH key-based authentication to eliminate password vulnerabilities, modifying SSH daemon settings to restrict access, and deploying Fail2ban to automatically detect and block malicious login attempts. You’ll also learn how to configure custom SSH ports and implement additional security measures that enterprise administrators use to protect production servers.

Prerequisites and Requirements for SSH Hardening on Ubuntu Server

Before you begin implementing how to harden SSH on Ubuntu Server with key-based authentication and Fail2ban, ensure you meet these essential requirements. You’ll need root or sudo access to your Ubuntu server, as most configuration changes require administrative privileges. This tutorial assumes you’re working with Ubuntu 20.04 LTS or newer, though the steps apply to most recent Ubuntu versions.

You should have basic command-line experience and understand fundamental Linux concepts like file permissions and service management. Familiarity with text editors like nano or vim is necessary for editing configuration files. Additionally, ensure you have a reliable internet connection and access to your server through SSH or direct console access.

The estimated completion time is 30-45 minutes, depending on your experience level. You’ll also need access to your client machine where you’ll generate SSH keys. If you’re working with a production server, schedule this maintenance during a low-traffic period and ensure you have alternative access methods available in case of configuration issues.

Important: Always test these configurations on a development server first. Keep your current SSH session open while making changes, and open a second session to test new settings before closing the original connection.

Step-by-Step Guide to Harden SSH on Ubuntu Server with Key Authentication

This event shares similarities with: How to Harden Nginx Ssl/tls Configuration for Enhanced Security

Step 1: Generate SSH Key Pair on Client Machine

Begin by creating an SSH key pair on your local machine. This replaces password authentication with cryptographic keys, providing superior security. Open your terminal and run the following command:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

When prompted for a file location, press Enter to use the default path. Set a strong passphrase when prompted – this adds an extra security layer to your private key. The command generates two files: a private key (id_rsa) and a public key (id_rsa.pub) in your ~/.ssh directory.

Step 2: Copy Public Key to Ubuntu Server

Transfer your public key to the server using the ssh-copy-id utility. This command automatically adds your public key to the server’s authorized_keys file:

ssh-copy-id username@your_server_ip

Replace “username” with your actual username and “your_server_ip” with your server’s IP address. Enter your current password when prompted. After successful completion, test the key-based authentication by connecting to your server – you should only need to enter your key passphrase.

Step 3: Configure SSH Daemon Settings

Now modify the SSH daemon configuration to enhance security. Open the SSH configuration file with your preferred text editor:

sudo nano /etc/ssh/sshd_config

Make these critical security changes to implement proper SSH hardening:

# Disable password authentication
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Disable root login
PermitRootLogin no

# Change default port (optional but recommended)
Port 2222

# Disable empty passwords
PermitEmptyPasswords no

# Limit login attempts
MaxAuthTries 3

# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

Step 4: Restart SSH Service and Test Configuration

After making configuration changes, restart the SSH service to apply new settings:

sudo systemctl restart ssh

Before closing your current session, open a new terminal and test the connection using your new configuration. If you changed the port, use:

ssh -p 2222 username@your_server_ip

Verify that password authentication is disabled and only key-based authentication works. Keep your original session open until you confirm the new configuration functions correctly.

Installing and Configuring Fail2ban for SSH Protection

Step 5: Install Fail2ban Package

Fail2ban automatically monitors log files and bans IP addresses that exhibit suspicious behavior. Install it using the following commands:

sudo apt update
sudo apt install fail2ban -y

Verify the installation by checking the Fail2ban version:

fail2ban-client --version

Step 6: Configure Fail2ban for SSH Protection

Create a custom configuration file to avoid conflicts with package updates. Copy the default jail configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the local configuration file to customize SSH protection settings:

sudo nano /etc/fail2ban/jail.local

Locate the [sshd] section and modify these parameters according to the official Fail2ban documentation:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

These settings enable SSH monitoring on your custom port, allow only 3 failed attempts within 10 minutes, and ban offending IPs for 1 hour.

Step 7: Start and Enable Fail2ban Service

Start the Fail2ban service and enable it to start automatically on boot:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Check the service status to ensure it’s running correctly:

sudo systemctl status fail2ban

Monitor active jails and current bans using these commands:

sudo fail2ban-client status
sudo fail2ban-client status sshd

Advanced Security Measures and Troubleshooting SSH Hardening

Step 8: Implement Additional Security Measures

Enhance your SSH security further by implementing these advanced configurations. Create a dedicated SSH user group and restrict SSH access to specific users:

sudo groupadd sshusers
sudo usermod -a -G sshusers your_username

Add this line to your SSH configuration file to restrict access:

AllowGroups sshusers

Consider implementing two-factor authentication using Google Authenticator for additional security layers. You can also configure SSH to use only specific network interfaces or IP ranges using the ListenAddress directive.

Common troubleshooting issues include locked-out access due to misconfiguration. Always maintain a backup access method, such as console access or a secondary SSH key. If you encounter connection issues, check the SSH service logs:

sudo journalctl -u ssh -f

For Fail2ban troubleshooting, monitor the service logs to understand why certain IPs are being banned or not banned:

sudo tail -f /var/log/fail2ban.log

If you need to unban an IP address that was incorrectly blocked, use:

sudo fail2ban-client set sshd unbanip IP_ADDRESS

Remember to regularly update your system and review security logs. Consider implementing log monitoring solutions and intrusion detection systems for comprehensive server security. The Ubuntu Server documentation provides additional security recommendations for production environments.

You’ve successfully learned how to harden SSH on Ubuntu Server with key-based authentication and Fail2ban, creating multiple security layers that protect against common attack vectors. Your server now uses cryptographic keys instead of passwords, automatically blocks suspicious IP addresses, and implements various configuration hardening measures. These security improvements significantly reduce the risk of unauthorized access and provide a solid foundation for server security.

Regular monitoring and maintenance ensure continued protection. Review Fail2ban logs weekly, update your system regularly, and consider implementing additional security measures like intrusion detection systems or log analysis tools. This SSH hardening configuration provides enterprise-level security suitable for production environments while maintaining ease of administration for authorized users.