📅 February 03, 2026
5 分钟阅读
DevOps / Infrastructure

How to SSH Into a Server Safely

A guide to securely connecting to servers via SSH, covering essential practices like │ using SSH keys, disabling password authentication, changing default ports, limiting │ user access, and employing firewalls and intrusion detection.

Beginner

Connecting to a server using SSH (Secure Shell) is a fundamental task for system administrators and developers. While SSH provides an encrypted channel, it's essential to configure it securely to protect your server from unauthorized access. This guide covers key practices for safe SSH connections.

1. Use SSH Key-Based Authentication

SSH keys are significantly more secure than passwords. They involve a pair of cryptographic keys: a private key (kept secret on your local machine) and a public key (placed on the server).

  • Generate Keys: On your local machine, use ssh-keygen to create a key pair. bash ssh-keygen -t rsa -b 4096 You'll be prompted to enter a passphrase for your private key. Use a strong one.
  • Copy Public Key to Server: Use ssh-copy-id to easily transfer your public key to the server. bash ssh-copy-id username@your_server_ip This command appends your public key to the ~/.ssh/authorized_keys file on the server.

2. Disable Password Authentication

Once SSH key authentication is working, disable password logins to prevent brute-force attacks.

  • Edit SSH Configuration: Open the SSH daemon configuration file on the server. bash sudo nano /etc/ssh/sshd_config
  • Modify Settings: Find and change the following lines: PasswordAuthentication no # If you are using root login, ensure it's also disabled: # PermitRootLogin no
  • Restart SSH Service: Apply the changes by restarting the SSH service. bash sudo systemctl restart sshd

3. Change the Default SSH Port

The default SSH port (22) is a common target for automated scans. Changing it can reduce unwanted traffic.

  • Edit SSH Configuration: In /etc/ssh/sshd_config, find the Port 22 line and change 22 to a different, unused port number (e.g., 2222). Port 2222
  • Update Firewall: Ensure your firewall allows traffic on the new port. bash sudo ufw allow 2222/tcp sudo ufw delete allow ssh # Remove the old rule for port 22
  • Restart SSH Service: bash sudo systemctl restart sshd When connecting, you'll need to specify the new port: ssh -p 2222 username@your_server_ip.

4. Limit User Access

Restrict SSH access to only necessary users.

  • Disable Root Login: Set PermitRootLogin no in /etc/ssh/sshd_config. Always log in as a regular user and use sudo for administrative tasks.
  • Allow Specific Users/Groups: Use AllowUsers or AllowGroups directives in sshd_config to whitelist specific accounts. AllowUsers your_user another_user

5. Use a Firewall

Configure your server's firewall (e.g., ufw) to only allow SSH connections from trusted IP addresses or networks.

  • Example with UFW: bash sudo ufw allow from trusted_ip_address to any port 2222 proto tcp # Or to allow from a specific subnet # sudo ufw allow from 192.168.1.0/24 to any port 2222 proto tcp Remember to also allow other necessary ports for your applications.

6. Implement Fail2Ban

Fail2Ban scans log files for malicious activity (like repeated failed login attempts) and automatically updates firewall rules to block offending IP addresses.

  • Install Fail2Ban: bash sudo apt install fail2ban
  • Configure: It usually works out-of-the-box for SSH, but you can customize its settings in /etc/fail2ban/jail.local.

7. Keep Software Updated

Regularly update your server's operating system and SSH software to patch any known vulnerabilities.

sudo apt update && sudo apt upgrade -y

By implementing these practices, you significantly enhance the security of your SSH connections and protect your server from unauthorized access.