Hardening Production SSH: A Practical Guide to Securing Linux Fleets

My Production SSH Configuration Was a Mess. Here’s How I Fixed It.

Engineer Saad Naeem overhauled a fleet of production servers to move beyond simple SSH setups that left systems vulnerable to global brute-force attempts. The transition involved disabling password authentication entirely to shrink the attack surface against automated scanning bots.

Why This Matters

In ideal security models, SSH is a secure tunnel, but in technical reality, default configurations leave port 22 exposed to constant automated login attempts. Moving to Ed25519 keys and implementing granular access controls like AllowGroups is necessary to prevent unauthorized lateral movement and mitigate the risk of compromised credentials in large-scale environments.

Key Insights

• Disabling PasswordAuthentication in sshd_config is the primary defense against the high volume of brute-force attempts observed on production machines.
• Ed25519 keys offer a modern, performant, and more secure alternative to traditional RSA keys for production authentication.
• Restricted key usage in the authorized_keys file allows for ‘command-only’ execution, preventing full shell access for service accounts.
• Fail2Ban serves as an active defense tool by scanning logs and automatically banning IP addresses that exhibit malicious login behavior.
• Configuration of ClientAliveInterval and ClientAliveCountMax mitigates the risk of lingering idle sessions remaining open on production servers.

Working Examples

Disable password-based logins in /etc/ssh/sshd_config

PasswordAuthentication no

Generate a modern Ed25519 SSH key

ssh-keygen -t ed25519 -C "[email protected]"

Securely distribute public keys with correct permissions

ssh-copy-id -i ~/.ssh/my_ed25519.pub user@your_server_ip

Restricting a specific key to a single command in authorized_keys

command="/path/to/your/script.sh",no-port-forwarding,no-pty,no-user-rc,no-agent-forwarding ssh-ed25519 AAAAC3... email

Standard hardening parameters for sshd_config

AllowGroups ops developers
PermitRootLogin no
Port 2222
Protocol 2

Session and attempt limits to prevent resource exhaustion

MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 3

Installing Fail2Ban for automated IP banning

sudo apt update && sudo apt install fail2ban

Practical Applications

• Use Case: Restricting service accounts to execute only specific scripts using the ‘command=’ option in authorized_keys. Pitfall: Failing to automate key distribution with tools like Ansible leads to manual errors and delayed key revocation during employee offboarding.
• Use Case: Implementing group-based access with AllowGroups to ensure only authorized teams can access production environments. Pitfall: Changing the default SSH port without first updating firewall rules, resulting in a total lockout from the server.

References:

• https://dev.to/saad_naeem/ssh-hardening-checklist-for-production-servers-jb8