Secure Shell (SSH) is one of the most critical services exposed on Linux servers.
A poorly configured SSH server can lead to:
- Brute-force attacks
- Credential stuffing
- Privilege escalation
- Unauthorized remote access
- Lateral movement within infrastructure
This script automates the hardening of OpenSSH servers following modern security best practices.
This hardening script aims to:
- Reduce attack surface
- Enforce strong authentication
- Disable insecure configurations
- Improve auditability
- Protect production servers
- Automatic backup
- Disable root login
- Disable password authentication
- Public key authentication only
- Limit authentication attempts
- Disable empty passwords
- Disable X11 forwarding
- Disable agent forwarding
- Disable TCP forwarding
- Restrict login grace period
- Configure idle session timeout
- Validate SSH configuration
- Safe service restart
Before running this script:
- Ensure your SSH public key is installed.
ssh-copy-id user@server- Verify public key authentication works.
ssh user@server- Open a second SSH session before applying changes.
Never harden SSH without testing key-based access first.
#!/usr/bin/env bash
##########################################################
# Enterprise SSH Hardening Script
#
# Author: DevSecOps Community
#
# Tested on:
# - Ubuntu
# - Debian
# - Rocky Linux
# - AlmaLinux
# - CentOS
##########################################################
set -e
SSH_CONFIG="/etc/ssh/sshd_config"
BACKUP_DIR="/etc/ssh/backups"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_FILE="$BACKUP_DIR/sshd_config.$TIMESTAMP"
##########################################################
# Root Check
##########################################################
if [ "$EUID" -ne 0 ]; then
echo "Please run as root."
exit 1
fi
##########################################################
# Create Backup
##########################################################
echo "[+] Creating backup..."
mkdir -p "$BACKUP_DIR"
cp "$SSH_CONFIG" "$BACKUP_FILE"
echo "[+] Backup created:"
echo "$BACKUP_FILE"
##########################################################
# Apply Hardening
##########################################################
echo "[+] Applying SSH hardening..."
cat > "$SSH_CONFIG" <<EOF
##########################################################
# Enterprise Hardened SSH Configuration
##########################################################
Port 22
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
PermitEmptyPasswords no
MaxAuthTries 3
MaxSessions 2
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
PermitTunnel no
X11Forwarding no
PermitUserEnvironment no
IgnoreRhosts yes
HostbasedAuthentication no
UsePAM yes
PrintMotd no
TCPKeepAlive no
Compression no
LogLevel VERBOSE
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
##########################################################
# Validate Configuration
##########################################################
echo "[+] Validating configuration..."
sshd -t
echo "[+] Configuration valid."
##########################################################
# Restart SSH
##########################################################
echo "[+] Restarting SSH service..."
if systemctl is-active --quiet ssh; then
systemctl restart ssh
elif systemctl is-active --quiet sshd; then
systemctl restart sshd
fi
echo "[+] SSH hardening completed successfully."PermitRootLogin no
Prevents direct root access.
Benefits:
- Limits privilege escalation
- Forces accountability
- Improves auditing
PasswordAuthentication no
Only SSH keys can be used.
Benefits:
- Stops brute-force attacks
- Eliminates weak passwords
- Stronger authentication
PermitEmptyPasswords no
Prevents authentication without credentials.
MaxAuthTries 3
Reduces brute-force effectiveness.
MaxSessions 2
Limits concurrent sessions.
ClientAliveInterval 300
ClientAliveCountMax 2
Disconnects inactive users.
Benefits:
- Reduces hijacked sessions
- Improves resource management
AllowTcpForwarding no
Prevents SSH tunnel abuse.
AllowAgentForwarding no
Reduces credential theft risks.
X11Forwarding no
Reduces attack surface.
LogLevel VERBOSE
Provides detailed audit information.
Useful for:
- Incident response
- Compliance
- Forensics
sudo apt install fail2banProtects against:
- Brute-force attacks
- Password spraying
- Credential stuffing
sudo ufw allow 22/tcp
sudo ufw enableRestricts network exposure.
Port 2222
Not a security control by itself.
Only reduces automated scans.
AllowUsers devops
or
AllowGroups sshusers
Limits who can connect.
Verify configuration:
sshd -TCheck service status:
systemctl status sshTest connection:
ssh user@server- Backup configuration
- Disable root login
- Disable password authentication
- Public key authentication only
- Limit authentication attempts
- Session timeout
- Disable forwarding
- Increased logging
- Validate configuration
- Safe restart
For enterprise environments, combine this hardening with:
- Fail2Ban
- CrowdSec
- MFA authentication
- Bastion hosts
- VPN access
- SIEM monitoring
- SSH certificate authorities
- Centralized logging
- Infrastructure as Code
SSH is often the primary administrative entry point into Linux servers.
A secure SSH configuration significantly reduces the attack surface and helps protect infrastructure from unauthorized access, brute-force attacks, and privilege escalation attempts.
Hardening SSH should be one of the first security controls applied to every production server.