SSH(Secure Shell) is the keyring to your infrastructure.If an attacker gains SSH access, the game is over.Default configurations are rarely secure enough for production environments exposed to the internet.
Disable Password Authentication
Passwords are the weakest link.They can be guessing, brute - forced, or stolen.SSH Keys(RSA 4096 - bit or Ed25519) are cryptographically secure.Once you have copied your public key to the server, disable password authentication in /etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
Change the Default Port
Automated bots scour the internet scanning port 22. Changing your SSH port to something non-standard (e.g., 2244) won't stop a targeted attack, but it eliminates 99% of automated background noise and keeps your logs cleaner.
Root Login: Just Don't
Never allow direct login as root. If an attacker knows the username is "root", they only need to crack the password. Login as a regular user and escalate privileges with sudo.
PermitRootLogin no
MFA for SSH
For critical infrastructure, keys aren't enough. Implement Multi-Factor Authentication (MFA) using Google Authenticator or YubiKey. This requires an attacker to have both your private key AND your physical 2FA device to gain access.
Audit and Rotate
Keys shouldn't be eternal. Employees leave; laptops get stolen. establishing a policy for SSH key rotation or using short-lived certificates (via tools like HashiCorp Vault) ensures that compromised keys expire automatically.