English
InfrawireInfrawire LogoDocumentation
Appeler

Secure SSH Connection

Complete guide to secure your SSH connection by changing the port and configuring additional security options to prevent brute force attacks.

~3 min read
sshsecuritybruteforceconnectionvps

Secure SSH Connection to Prevent Brute Force Attacks

The default SSH port (22) is often targeted by automated brute force attacks. This guide will teach you how to change the SSH port and configure additional security options to protect your server.

📋 Prerequisites

  • A VPS server with root or sudo access
  • An active SSH connection
  • UFW installed and configured (see the tutorial Install UFW)

⚠️ IMPORTANT: Keep an SSH session open

Important: Before starting, keep an active SSH session. If something goes wrong, you'll still be able to connect and fix the problem.

Open two SSH terminals in parallel:

  • Terminal 1: Working session (to make modifications)
  • Terminal 2: Backup session (just in case)

🔧 Change SSH Port

Step 1: Choose a new port

Choose a port between 1024 and 65535. Common ports to avoid:

  • 22 (default SSH port, heavily targeted)
  • 80, 443 (HTTP/HTTPS)
  • 3306, 5432 (databases)

Examples of secure ports: 2222, 2200, 1022, 5000

Step 2: Modify SSH configuration

Bash
# Edit SSH configuration file
sudo nano /etc/ssh/sshd_config

Step 3: Change the port

Find the line #Port 22 and modify it:

# Before
#Port 22

# After (replace 2222 with your chosen port)
Port 2222

Tip: Use Ctrl + W in nano to search for "Port 22"

Step 4: Save and quit

In nano:

  • Ctrl + X to quit
  • Y to confirm
  • Enter to save

Step 5: Verify syntax

Bash
# Verify that the configuration is valid
sudo sshd -t

If this command returns no errors, your configuration is correct.

Step 6: Allow the new port in UFW

Bash
1# Allow the new SSH port (replace 2222 with your port)
2sudo ufw allow 2222/tcp
3
4# Optional: Remove the old port 22 if you no longer use it
5sudo ufw delete allow 22/tcp
6
7# Reload UFW
8sudo ufw reload
9
10# Verify that the rule is active
11sudo ufw status | grep 2222

Step 7: Restart SSH service

Bash
1# Restart SSH with the new configuration
2sudo systemctl restart sshd
3
4# Verify that SSH is still working
5sudo systemctl status sshd

Step 8: Test the new connection

In a new terminal, test the connection with the new port:

Bash
# Replace 2222 with your port and user@your-ip with your credentials
ssh -p 2222 user@your-ip

If the connection works, you can close the old session on port 22.

🔒 Additional Security Options

Disable root login

Important: Disabling root login via SSH is an excellent security practice. Make sure you have a user with sudo configured before making this modification.

Bash
1# Edit SSH configuration
2sudo nano /etc/ssh/sshd_config
3
4# Find and modify this line
5PermitRootLogin no
6
7# Save and restart
8sudo sshd -t
9sudo systemctl restart sshd

Limit connection attempts

Bash
1sudo nano /etc/ssh/sshd_config
2
3# Add or modify these lines
4MaxAuthTries 3              # Maximum 3 connection attempts
5LoginGraceTime 30           # 30 second timeout to connect

Disable password authentication (use only SSH keys)

Bash
1sudo nano /etc/ssh/sshd_config
2
3# Modify this line
4PasswordAuthentication no
5PubkeyAuthentication yes

Warning: Only enable this option if you have configured an SSH key and tested that it works!

Use only SSH protocol version 2

Bash
sudo nano /etc/ssh/sshd_config

# Add this line (if it doesn't exist)
Protocol 2

Disable X11 tunnels (if you don't need them)

Bash
sudo nano /etc/ssh/sshd_config

# Modify this line
X11Forwarding no

Recommended complete configuration

Here is a complete secure SSH configuration to add in /etc/ssh/sshd_config:

# Custom SSH port
Port 2222

# Disable root login
PermitRootLogin no

# Connection limits
MaxAuthTries 3
LoginGraceTime 30

# Disable password authentication (if you use SSH keys)
# PasswordAuthentication no
# PubkeyAuthentication yes

# SSH protocol version 2 only
Protocol 2

# Disable X11 forwarding
X11Forwarding no

# Disable TCP tunnels
AllowTcpForwarding no

# Inactivity timeout before disconnect
ClientAliveInterval 300
ClientAliveCountMax 2

After each modification, don't forget to:

Bash
1# Verify syntax
2sudo sshd -t
3
4# Restart SSH
5sudo systemctl restart sshd

🔄 Create a user with sudo (if necessary)

If you have disabled root login, make sure you have a user with sudo privileges:

Bash
1# Create a new user
2sudo adduser myuser
3
4# Add the user to the sudo group
5sudo usermod -aG sudo myuser
6
7# Test that the user can use sudo
8su - myuser
9sudo whoami
10# Should display "root"

✅ Final Verification

Verify that SSH is working

Bash
1# Check service status
2sudo systemctl status sshd
3
4# Verify that SSH is listening on the correct port
5sudo netstat -tlnp | grep ssh
6# or
7sudo ss -tlnp | grep ssh
8
9# Verify configuration
10sudo sshd -T | grep port

Verify SSH logs

Bash
1# View connection attempts
2sudo tail -f /var/log/auth.log
3
4# View successful connections
5sudo grep "Accepted" /var/log/auth.log
6
7# View failed attempts
8sudo grep "Failed" /var/log/auth.log

🛡️ Additional Protection with fail2ban

fail2ban is a tool that automatically blocks IPs that attempt brute force attacks.

Install fail2ban

Bash
sudo apt update
sudo apt install fail2ban -y

Basic configuration

Bash
1# Copy the configuration file
2sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3
4# Edit the configuration
5sudo nano /etc/fail2ban/jail.local

Recommended configuration for SSH:

INI
1[sshd]
2enabled = true
3port = 2222                    # Your new SSH port
4maxretry = 3                   # Number of attempts before ban
5bantime = 3600                 # Ban time in seconds (1 hour)
6findtime = 600                 # Time window to count attempts (10 minutes)

Enable fail2ban

Bash
1# Start fail2ban
2sudo systemctl start fail2ban
3
4# Enable on boot
5sudo systemctl enable fail2ban
6
7# Check status
8sudo systemctl status fail2ban
9
10# View banned IPs
11sudo fail2ban-client status sshd

🆘 Troubleshooting

Cannot connect via SSH anymore

If you are locked out of the server:

  1. Use your backup session (Terminal 2 that you kept open)

  2. If you don't have a backup session:

    • Contact Infrawire support with your credentials
    • Use the VNC/KVM console from your control panel
    • Connect directly and restore the old configuration: 
      Bash
      sudo nano /etc/ssh/sshd_config
# Put back Port 22
sudo systemctl restart sshd

SSH port is not responding

Bash
1# Verify that SSH is listening on the port
2sudo netstat -tlnp | grep ssh
3
4# Verify that the port is open in UFW
5sudo ufw status | grep 2222
6
7# Check SSH logs
8sudo journalctl -u sshd -n 50

Need to connect with the old port temporarily

If you need to connect with the old port (22) before removing it:

Bash
1# Temporarily allow port 22
2sudo ufw allow 22/tcp
3
4# Connect
5ssh -p 22 user@your-ip
6
7# Once connected, remove the rule
8sudo ufw delete allow 22/tcp

📚 Additional resources

❓ Frequently Asked Questions

Q: What port should I choose for SSH?
A: Choose a port between 1024 and 65535. Avoid common ports (80, 443, 3306, etc.). Ports like 2222, 2200, or 1022 are good choices.

Q: Can I use the same port for multiple services?
A: No, each service must have its own unique port.

Q: Do I really need to change the SSH port?
A: It's highly recommended. It significantly reduces automated brute force attacks.

Q: Is fail2ban necessary if I changed the port?
A: No, but it's a recommended additional security layer.

Q: How do I connect with the new port from an SSH client?
A: Use the -p option: ssh -p 2222 user@your-ip

Good security! 🚀

Previous

Install WordPress on a Linux VPS

Next

Test VPS Bandwidth

Need help?

Support

Our team is available 24/7 to help you

Discord

Join our community