SSH Tweaks

This documentation contains various notes on SSH configurations on a Debain server. (At the time of writing, based on Debian 13.)

Disable root SSH login

Whenever possible, we want to prevent root from logging in via SSH to avoid any potential security issues.

  1. Open the SSH daemon configuration:

    sudo nano /etc/ssh/sshd_config

  2. Find the PermitRootLogin line, uncomment it if needed, and change the option to no.

  3. Save and close the file with Ctrl+X, Y to confirm, and Enter to select the save location.

  4. Restart the SSH server:

    sudo systemctl restart ssh

Disable password-based SSH login

Changing this setting enforces using SSH keys to login, password logins will be blocked.

  1. Open the SSH daemon configuration:

    sudo nano /etc/ssh/sshd_config

  2. Find the PasswordAuthentication line, uncomment it if needed, and change the option to no.

  3. Save and close the file with Ctrl+X, Y to confirm, and Enter to select the save location.

  4. Restart the SSH server:

    sudo systemctl restart ssh

Change SSH port

Changing this setting changes the port that the built-in SSH server listens on.

Attention

Once you change the SSH port, you’ll need to specify the new (non-default) port when connecting directly via SSH. Use the command ssh -p 2222 user@server where 2222 is your updated SSH port.

  1. Open the SSH daemon configuration:

    sudo nano /etc/ssh/sshd_config

  2. Find the Port 22 line, uncomment it if needed, and change the option to 2222 (or your desired port).

  3. Save and close the file with Ctrl+X, Y to confirm, and Enter to select the save location.

  4. Restart the SSH server:

    sudo systemctl restart ssh