ssh

SSH checklist

# What port is SSH listening on?
sudo ss -tlnp | grep sshd

# Review critical sshd config settings
grep -E "^(Port|PermitRootLogin|PasswordAuthentication|MaxAuthTries|AllowUsers)" /etc/ssh/sshd_config

# Quick count of failed attempts
sudo grep "Failed password" /var/log/auth.log | wc -l

# Top offending IPs
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -20

# Recent 50 failures with timestamp
sudo grep "Failed password" /var/log/auth.log | tail -50

# Who is currently logged in
who

# More detail: IP, login time, idle
w

# All active SSH connections via socket
ss -tnp | grep :22

# SSH login history (recent)
last | grep "pts\|ssh" | head -20

# Check if installed
fail2ban-client status 2>/dev/null || echo "fail2ban NOT installed"

# Install it
sudo apt install fail2ban -y

# After install — check SSH jail status
sudo fail2ban-client status sshd

# List currently banned IPs
sudo fail2ban-client get sshd banip

⚡ One-liner Full Snapshot

echo "=== SSH PORT ===" && ss -tlnp | grep sshd && \
echo "=== FAILED LOGINS (top IPs) ===" && grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10 && \
echo "=== ACTIVE SESSIONS ===" && w && \
echo "=== FAIL2BAN ===" && sudo fail2ban-client status sshd 2>/dev/null || echo "fail2ban not running"

SSH via private keys

# Generate key pair (anywhere/at client)
ssh-keygen -t ed25519 -C "comment (email/action...)"

# Validate by ssh to host using private key file
ssh -i $PRIVATE_KEY_PATH $USER@$HOST -p $PORT

# View public key (for copying)
cat ~/.ssh/id_ed25519.pub
# Windows
type $env:USERPROFILE\.ssh\id_ed25519.pub
# Initialize .ssh folder
mkdir -p ~/.ssh
# Copy
echo "PASTE YOUR PUBLIC KEY HERE" >> ~/.ssh/authorized_keys
# Set permission (just in case)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

# One-liner - Add public key to the authorized_keys of host's user, create path if not exist (process at client)
cat $PUBLIC_KEY_PATH | ssh $USER@$HOST -p $PORT "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Change SSH port

Prerequisites:

# Check ssh status
which sshd
# Install sshd
sudo systemctl status ssh
# Install
sudo apt update && sudo apt install openssh-server -y

Modified sshd_config

# Find/Check location
find / -name "sshd_config" 2>/dev/null
# Edit
sudo vi /etc/ssh/sshd_config

Search & uncomment Port 22, then change to the desired port.
Restart ssh service

# Ubuntu
# Disable ssh.socket
sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service
#sudo service ssh restart
sudo systemctl restart ssh

# AlmaLinux
systemctl restart sshd

Allow port via [[ufw]]/[firewalld]
Apply fail2ban

Setup script:

#!/usr/bin/env bash
set -e

### ===== CUSTOM OPTIONS =====
CUSTOM_PORT=2222
ALLOW_PASSWORD_LOGIN=true

NEWUSER="americio"
SSH_PUBLIC_KEY="ssh-ed25519 AAAA...your_key_here"
PASSWORDLESS_SUDO=false

BANTIME="1h"
FINDTIME="10m"
MAXRETRY=3
### ===========================

FILE=/etc/ssh/sshd_config

echo "💾 Backing up original sshd_config"
sudo cp "$FILE" "$FILE.backup.$(date +%F-%H%M%S)"

echo "✒️ Writing secure sshd_config..."

sudo tee "$FILE" >/dev/null <<EOF
# ===== SECURE SSH CONFIG (FRESH VPS) =====

# Port (change from default 22 reduces random bots)
Port ${CUSTOM_PORT}
# To disable IPv6 for SSH, uncomment:
# AddressFamily inet

# Authentication
PermitRootLogin no
PasswordAuthentication $( [ "$ALLOW_PASSWORD_LOGIN" = true ] && echo "yes" || echo "no" )
PermitEmptyPasswords no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# Security limits
MaxAuthTries 3
LoginGraceTime 20
MaxSessions 2

# Keepalive
ClientAliveInterval 120
ClientAliveCountMax 2

# Logging
LogLevel VERBOSE

# Default "Include" directory
Include /etc/ssh/sshd_config.d/*.conf
EOF

echo "🤔 Validating new SSH configuration..."
if sudo sshd -t; then
    echo "✅ SSH config OK. Reloading sshd..."
    sudo systemctl reload sshd
    echo "👌 SSH hardened successfully."
else
    echo "⛔ SSH config ERROR. Restoring backup..."
    sudo cp "$FILE.backup"* "$FILE"
    exit 1
fi

echo "===================================================================="

echo "🪄 Creating user: $NEWUSER"
if id "$NEWUSER" >/dev/null 2>&1; then
    echo "👻 User already exists, skipping."
else
    sudo adduser --disabled-password --gecos "" "$NEWUSER"
	GENPASS=$(openssl rand -base64 16)
	echo "$NEWUSER:$GENPASS" | sudo chpasswd
	echo "🔐 Temporary password for $NEWUSER: $GENPASS"
fi

echo "🤝 Adding $NEWUSER to sudo group"
sudo usermod -aG sudo "$NEWUSER"
sudo usermod -aG adm "$NEWUSER"
sudo usermod -s /bin/bash "$NEWUSER"

echo "🗃️ Setting up SSH directory"
sudo mkdir -p /home/$NEWUSER/.ssh
echo "$SSH_PUBLIC_KEY" | sudo tee /home/$NEWUSER/.ssh/authorized_keys >/dev/null

sudo chmod 700 /home/$NEWUSER/.ssh
sudo chmod 600 /home/$NEWUSER/.ssh/authorized_keys
sudo chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh

if [ "$PASSWORDLESS_SUDO" = true ]; then
    echo "🔓 Enabling passwordless sudo for $NEWUSER"
    echo "$NEWUSER ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/90-$NEWUSER >/dev/null
    sudo chmod 440 /etc/sudoers.d/90-$NEWUSER
fi

echo "🔒 Locking root password (optional safety)"
sudo passwd -l root

echo "👌 Secure sudo user setup completed."
echo "Now log in as: ssh $NEWUSER@your-server -p $CUSTOM_PORT"

echo "===================================================================="

echo "🛡️ Configuring UFW firewall with safe defaults"

sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing

echo "🔓 Allowing SSH port: $CUSTOM_PORT and other common ports (http, https)"
sudo ufw limit ${CUSTOM_PORT}/tcp
sudo ufw allow http
sudo ufw allow https

echo "🚀 Enabling firewall..."
sudo ufw --force enable

echo "📋 UFW status:"
sudo ufw status verbose

echo "👌 UFW firewall configuration completed."

echo "===================================================================="

echo "📦 Installing fail2ban..."
sudo apt update
sudo apt install -y fail2ban

JAIL_LOCAL="/etc/fail2ban/jail.local"

echo "📝 Writing fail2ban jail.local..."
sudo tee $JAIL_LOCAL >/dev/null <<EOF
[DEFAULT]
bantime = ${BANTIME}
findtime = ${FINDTIME}
maxretry = ${MAXRETRY}
backend = systemd
banaction = ufw
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = ${CUSTOM_PORT}
filter = sshd
backend = systemd
logpath = journal
EOF

echo "🔄 Restarting Fail2ban..."
sudo systemctl enable --now fail2ban
sudo systemctl status fail2ban
sudo fail2ban-client status sshd
sudo systemctl restart fail2ban
sleep 2
echo "🔍 Fail2ban SSH jail status:"
sudo fail2ban-client status sshd

echo "👌 Fail2ban installed & configured."

echo "===================================================================="

echo "📦 Unattended Security Updates (auto-patch for critical CVEs)"
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

if false; then
	
	echo "===================================================================="
	echo "🔐 Enabling SSH 2FA (TOTP via Google Authenticator)"

	echo "📦 Installing TOTP PAM module..."
	sudo apt install -y libpam-google-authenticator

	echo "🪪 Generating TOTP secret for user: $NEWUSER"
	sudo -u "$NEWUSER" bash -c "google-authenticator -t -d -f -r 3 -R 30 -W --quiet"

	echo "📁 Backing up SSH PAM config..."
	sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak.$(date +%F-%H%M%S)

	echo "✒️ Updating PAM rules for TOTP"
	sudo sed -i '1i auth required pam_google_authenticator.so' /etc/pam.d/sshd

	echo "📁 Backing up sshd_config..."
	sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%F-%H%M%S)

	echo "⚙️ Configuring SSH to require BOTH publickey & TOTP"
	sudo sed -i 's/^#\?ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
	sudo sed -i 's/^#\?KbdInteractiveAuthentication.*/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config

	# Require BOTH:
	# - publickey
	# - keyboard-interactive (Google Authenticator)
	if grep -q "^AuthenticationMethods" /etc/ssh/sshd_config; then
		sudo sed -i 's/^AuthenticationMethods.*/AuthenticationMethods publickey,keyboard-interactive/' /etc/ssh/sshd_config
	else
		echo "AuthenticationMethods publickey,keyboard-interactive" | sudo tee -a /etc/ssh/sshd_config >/dev/null
	fi

	echo "🤔 Validating SSH configuration with 2FA..."
	if sudo sshd -t; then
		echo "✅ SSH config OK. Restarting sshd..."
		sudo systemctl restart sshd
		echo "🔐 SSH 2FA enabled successfully."
	else
		echo "⛔ ERROR: Invalid SSH config. Rolling back..."
		sudo cp /etc/ssh/sshd_config.bak.* /etc/ssh/sshd_config
		sudo cp /etc/pam.d/sshd.bak.* /etc/pam.d/sshd
		sudo systemctl restart sshd
		exit 1
	fi

	echo "✨ 2FA Setup Completed."
	echo "👉 IMPORTANT: Open a NEW terminal and test login before closing this session."
	echo "SSH Login now requires:"
	echo "  1) SSH private key"
	echo "  2) Google Authenticator 6-digit TOTP code"
	
	echo "===================================================================="
	
	echo "📜 Installing hardened auditd rules..."

	sudo tee /etc/audit/rules.d/hardening.rules >/dev/null << "EOF"
## ===============================
## HARDENED AUDITD SECURITY RULES
## ===============================

# Track all commands executed via sudo
-w /var/log/sudo.log -p wa -k sudo_logs

# Track changes to privileged binaries (SUID/SGID)
-w /usr/bin -p wa -k privileged-bins
-w /usr/sbin -p wa -k privileged-bins

# Track changes to essential system config
-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes

# Track SSH configuration changes
-w /etc/ssh/sshd_config -p wa -k ssh_config
-w /etc/ssh/sshd_config.d/ -p wa -k ssh_config

# Track all login/logout events, including failures
-w /var/log/faillog -p wa -k auth_failures
-w /var/log/lastlog -p wa -k auth_changes
-w /var/log/tallylog -p wa -k auth_failures

# Track modification to systemd service files
-w /etc/systemd/system/ -p wa -k systemd_changes
-w /usr/lib/systemd/system/ -p wa -k systemd_changes

# Track kernel module loading/unloading
-w /sbin/modprobe -p x -k kernel_modules
-w /usr/sbin/modprobe -p x -k kernel_modules

# Record attempts to become root
-w /bin/su -p x -k root_escalation

# Monitor unauthorized file permission or attribute changes
-a always,exit -F arch=b64 -S chmod,chown,chgrp,fchmod,fchown -k perms
-a always,exit -F arch=b32 -S chmod,chown,chgrp,fchmod,fchown -k perms

# Detect root-level shell spawning (/bin/bash executed by UID 0)
-a always,exit -F arch=b64 -S execve -F uid=0 -k root_shell
-a always,exit -F arch=b32 -S execve -F uid=0 -k root_shell

# Detect modifications to firewall rules
-w /etc/ufw/ -p wa -k ufw_changes
-w /etc/firewalld/ -p wa -k firewalld_changes

# Track crontab modifications (cron persistence attacks)
-w /etc/crontab -p wa -k cron_changes
-w /etc/cron.d/ -p wa -k cron_changes
-w /etc/cron.daily/ -p wa -k cron_changes
-w /etc/cron.hourly/ -p wa -k cron_changes

# Ensure audit configuration itself is immutable
-e 2
EOF
	echo "🔄 Reloading audit rules..."
	sudo augenrules --load
	sudo systemctl restart auditd

	echo "✅ auditd hardening rules installed!"
fi

echo "💯 Finished initial VPS Setup! Goodbye!"

Run:

curl -O https://gist.githubusercontent.com/username/abcdef1234567890/raw/harden.sh
chmod +x ./harden.sh
sudo ./harden.sh
# One-liner, no download
curl -sSL https://gist.githubusercontent.com/username/abcdef1234567890/raw/harden.sh | sudo bash

🛡️ SSH Protection Layers — Basic to Advanced

Layer 1 — Immediate Basics (Do These First) - `sshd_config`

No.	Action	Command/File
1	Change default SSH port	`Port XXXX`
2	Disable root login	`PermitRootLogin no`
3	Limit max auth tries	`MaxAuthTries 3`
4	Reduce login grace	`LoginGraceTime 30`
5	Restrict to specific user	`AllowUsers <<yourusername>>`

Layer 2 — Key-Based Auth (Eliminates Brute Force)

No.	Action	Command/File
6	Generate ed25519 keypair	`ssh-keygen -t ed25519`
7	Copy key to server	ssh-copy-id
8	Disable password auth	`PasswordAuthentication no`
9	Disable empty passwords	`PermitEmptyPasswords no`

Layer 3 — Firewall (UFW)

No.	Action	Command/File
10	Default deny all incoming	`ufw default deny incoming`
11	Allow only your SSH port	`ufw allow [YOUR_PORT]/tcp`
12	Whitelist your IP for SSH	`ufw allow from [YOUR_IP] to any port [YOUR_PORT]`
13	Enable UFW	`ufw enable`

Layer 4 — Auto-Blocking (fail2ban)

No.	Action	Command/File
14	Install fail2ban	`sudo apt install fail2ban`
15	Configure [sshd]	`jailmaxretry=5, bantime=1h`
16	Recidive jail (repeat offenders)	`bantime=-1 permanent ban`
17	Email alerts on bans	`action = %(action_mwl)`

Layer 5 — Log Monitoring (Visibility)

No.	Action	Command/File
18	Check failed logins	`grep "Failed password" /var/log/auth.log`
19	Find top attacker IPs	`awk '{print $11}' \| sort \| uniq -c \| sort -rn`
20	Verify successful logins	grep “Accepted” /var/log/auth.log
21	Watch live auth log	`tail -f /var/log/auth.log`

Layer 6 — Advanced Hardening

No.	Action	Command/File
22	Fix Docker bypassing UFW	`daemon.json → "iptables": false`
23	Bind services to localhost	`docker-compose.yml → 127.0.0.1:PORT`
24	Block Postgres publicly	ufw deny 5432
25	Nginx attack detection custom	`fail2ban filter jail`
26	Block bot scanner	`probesbotsearch-common`, `fail2ban jail`

Layer 7 — Expert Level

No.	Action	Command/File
27	Two-factor auth for SSH	libpam-google-authenticator
28	Port knocking	knockd
29	Geo-blocking by country	`geoip-shell` or `nftables`
30	Intrusion detection system	OSSEC or Wazuh
31	Centralized log monitoring	Grafana + Loki + Promtail

Swiss Army knives

Awesome tools

SSH checklist

SSH via private keys

Change SSH port

Setup script:

🛡️ SSH Protection Layers — Basic to Advanced

Layer 1 — Immediate Basics (Do These First) - `sshd_config`

Layer 2 — Key-Based Auth (Eliminates Brute Force)

Layer 3 — Firewall (UFW)

Layer 4 — Auto-Blocking (fail2ban)

Layer 5 — Log Monitoring (Visibility)

Layer 6 — Advanced Hardening

Layer 7 — Expert Level

Swiss Army knives

Awesome tools

​SSH checklist

​SSH via private keys

​Change SSH port

​Setup script:

​🛡️ SSH Protection Layers — Basic to Advanced

Layer 1 — Immediate Basics (Do These First) - sshd_config

Layer 2 — Key-Based Auth (Eliminates Brute Force)

Layer 3 — Firewall (UFW)

Layer 4 — Auto-Blocking (fail2ban)

Layer 5 — Log Monitoring (Visibility)

Layer 6 — Advanced Hardening

Layer 7 — Expert Level

SSH checklist

SSH via private keys

Change SSH port

Setup script:

🛡️ SSH Protection Layers — Basic to Advanced

Layer 1 — Immediate Basics (Do These First) - `sshd_config`