Guides/Networking & Security
Networking & Security7 min read

How to Harden SSH on Ubuntu — Stop Brute Force Attacks

Default SSH configuration is a target for automated brute-force attacks. This guide covers disabling password authentication, changing the default port, setting up SSH key auth, and configuring fail2ban to block attackers.

In this guide

  1. 01Generate and Deploy SSH Keys
  2. 02Disable Password Authentication
  3. 03Change the Default SSH Port
  4. 04Install and Configure Fail2ban
  5. 05Set Up SSH Config on Your Local Machine

Generate and Deploy SSH Keys

On your local machine: ssh-keygen -t ed25519 -C "your@email.com". This generates a keypair in ~/.ssh/. Copy the public key to the server: ssh-copy-id -i ~/.ssh/id_ed25519.pub ubuntu@server_ip. Test key-based login: ssh -i ~/.ssh/id_ed25519 ubuntu@server_ip. Ed25519 keys are shorter, faster, and more secure than RSA-2048. Once you confirm key auth works, proceed to disable password authentication.

Disable Password Authentication

Edit /etc/ssh/sshd_config. Set: PasswordAuthentication no — PubkeyAuthentication yes — PermitRootLogin no — AuthorizedKeysFile .ssh/authorized_keys. Restart SSH: sudo systemctl restart sshd. With these settings, only someone with your private key can authenticate. Automated brute-force attacks (which try passwords) become 100% ineffective. Confirm you can still log in before closing your current session.

Change the Default SSH Port

Edit /etc/ssh/sshd_config: change Port 22 to Port 2222 (or any unused port above 1024). Update UFW: sudo ufw allow 2222/tcp && sudo ufw delete allow 22. Restart SSH: sudo systemctl restart sshd. Reconnect on the new port: ssh -p 2222 ubuntu@server_ip. This eliminates automated scanning noise — 99% of automated attacks only probe port 22.

Install and Configure Fail2ban

Install: sudo apt install -y fail2ban. Create /etc/fail2ban/jail.local: [DEFAULT] bantime = 1h findtime = 10m maxretry = 3 [sshd] enabled = true port = 2222. Start: sudo systemctl enable --now fail2ban. After 3 failed attempts within 10 minutes, the IP is banned for 1 hour. Check banned IPs: sudo fail2ban-client status sshd. Manually unban: sudo fail2ban-client set sshd unbanip IP_ADDRESS.

Set Up SSH Config on Your Local Machine

Create or edit ~/.ssh/config: Host myserver HostName server_ip User ubuntu Port 2222 IdentityFile ~/.ssh/id_ed25519. Now you can connect with just: ssh myserver — instead of remembering the port, key path, and username every time. Add multiple hosts for all your servers. This config file is stored locally and does not affect server security.

Need Help?

Want this done for you?

Our engineering team handles implementations like this every week. Get a free scoping call — we will tell you exactly what it takes and what it costs.

Book a free call

More Networking & Security Guides

How to Set Up UFW Firewall on Ubuntu

6 min

How to Monitor Server Uptime and Get Alerts When Things Break

6 min

How to Use Cloudflare to Speed Up and Protect Your Website

7 min

All Networking & Security guides

Strategic Industries

Modular Solutions

Core Stack

Regional Intelligence Hubs

Engineering in New YorkEngineering in Los AngelesEngineering in ChicagoEngineering in HoustonEngineering in MiamiEngineering in TorontoEngineering in VancouverEngineering in LondonView Global Infrastructure →

Competitive Intelligence

vs Toptalvs Accenturevs Freelancers

Efficiency Modeling

Financial Impact Model

Governance

100% Code OwnershipEnterprise Security Protocol

© 2026 NexWorldTech — Built for Global Dominance.

Node Status: OperationalSystem Latency: 42ms