====== Secure SSH Access and Best Practices for Ubuntu 22.04 VPS ======

This guide covers how to disable root SSH access and apply common security best practices for a public-facing Ubuntu 22.04 VPS.

===== 🔐 Disable Root Login via SSH =====

  * Edit the SSH daemon config:

  sudo nano /etc/ssh/sshd_config

  * Find or add the following line:

  PermitRootLogin no

//Optional: Use `prohibit-password` to allow only SSH key login for root.//

  * Restart the SSH service:

  sudo systemctl restart sshd

  * Test the new configuration **in another terminal session** before logging out.

===== ✅ Essentials =====

  * Create a non-root user with sudo:

  adduser youruser
  usermod -aG sudo youruser

  * Use SSH keys instead of passwords:

On your local machine:

  ssh-keygen -t ed25519
  ssh-copy-id youruser@your.vps.ip

In ''/etc/ssh/sshd_config'', ensure:

  PasswordAuthentication no

  * Keep the system updated:

    sudo apt update && sudo apt upgrade

  * Enable unattended upgrades (optional):

    sudo apt install unattended-upgrades
    sudo dpkg-reconfigure --priority=low unattended-upgrades

  * Enable a basic firewall:

  sudo ufw allow OpenSSH
  sudo ufw enable

===== 🛡️ Medium-Hardening =====

  * **Fail2ban:**

Protects against brute-force SSH attacks.

  sudo apt install fail2ban

  * **Change default SSH port:**

In ''/etc/ssh/sshd_config'', modify:

  Port 2222

//Reduces automated scan noise.//

  * **Check open ports:**

  sudo ss -tuln

  * **Set up logging/monitoring:**

Options include:

  * ''journalctl''
  * ''logwatch''
  * Lightweight metrics: Prometheus + Node Exporter or Netdata

===== 📦 Optional Extras =====

  * **Automatic security updates:**  
Already covered via `unattended-upgrades`.

  * **AppArmor status:**  
Ubuntu uses it by default. Verify with:

  sudo aa-status

  * **Backups:**  
Use `rsync`, `restic`, or cloud snapshot tools.

  * **Restrict sudo access:**  
Edit with:

  sudo visudo

  * **Two-Factor Authentication for SSH:**  
Tools like `libpam-google-authenticator`.

===== ✅ Quick Checklist =====

  - 🔲 Root SSH login disabled
  - 🔲 Password login disabled
  - 🔲 SSH key authentication configured
  - 🔲 Non-root user with sudo created
  - 🔲 UFW firewall enabled
  - 🔲 Fail2ban installed
  - 🔲 System updates enabled
  - 🔲 Backup strategy defined

----

//Last reviewed: 06/06/2025//