This guide covers how to disable root SSH access and apply common security best practices for a public-facing Ubuntu 22.04 VPS.

• Edit the SSH daemon config:

sudo nano /etc/ssh/sshd_config

• Find or add the following line:

PermitRootLogin no

Optional: Use `prohibit-password` to allow only SSH key login for root.

• Restart the SSH service:

sudo systemctl restart sshd

• Test the new configuration in another terminal session before logging out.

• Create a non-root user with sudo:

adduser youruser
usermod -aG sudo youruser

• Use SSH keys instead of passwords:

On your local machine:

ssh-keygen -t ed25519
ssh-copy-id [email protected]

In /etc/ssh/sshd_config, ensure:

PasswordAuthentication no

• Keep the system updated:

  sudo apt update && sudo apt upgrade

• Enable unattended upgrades (optional):

  sudo apt install unattended-upgrades
  sudo dpkg-reconfigure --priority=low unattended-upgrades

• Enable a basic firewall:

sudo ufw allow OpenSSH
sudo ufw enable

• Fail2ban:

Protects against brute-force SSH attacks.

sudo apt install fail2ban

• Change default SSH port:

In /etc/ssh/sshd_config, modify:

Port 2222

Reduces automated scan noise.

• Check open ports:

sudo ss -tuln

• Set up logging/monitoring:

Options include:

• journalctl
• logwatch
• Lightweight metrics: Prometheus + Node Exporter or Netdata

• Automatic security updates:

Already covered via `unattended-upgrades`.

• AppArmor status:

Ubuntu uses it by default. Verify with:

sudo aa-status

• Backups:

Use `rsync`, `restic`, or cloud snapshot tools.

• Restrict sudo access:

Edit with:

sudo visudo

• Two-Factor Authentication for SSH:

Tools like `libpam-google-authenticator`.

1. 🔲 Root SSH login disabled
2. 🔲 Password login disabled
3. 🔲 SSH key authentication configured
4. 🔲 Non-root user with sudo created
5. 🔲 UFW firewall enabled
6. 🔲 Fail2ban installed
7. 🔲 System updates enabled
8. 🔲 Backup strategy defined

Last reviewed: 06/06/2025