DocumentationHow to Secure SSH Access on Your Linux VPS
This guide shows you how to protect your VPS from attackers by setting up SSH keys, disabling root login and changing the SSH port.
Warning
Follow the steps in order. If you disable password authentication before adding your SSH key, you will lock yourself out of the server.
1. Create SSH key
First, create an SSH key pair on your local PC.
Windows (PowerShell)
ssh-keygen -t ed25519ssh-keygen -t ed25519Linux / macOS (Terminal)
ssh-keygen -t ed25519ssh-keygen -t ed25519Confirm the default path with Enter and optionally set a passphrase for additional protection.
Two files are created:
~/.ssh/id_ed25519— your private key (never share this!)~/.ssh/id_ed25519.pub— your public key (this goes on the server)
2. Upload public key to the server
Linux / macOS
ssh-copy-id root@YOUR_SERVER_IPssh-copy-id root@YOUR_SERVER_IPWindows (PowerShell)
type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh root@YOUR_SERVER_IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh root@YOUR_SERVER_IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Test
Test the connection before continuing:
ssh root@YOUR_SERVER_IPssh root@YOUR_SERVER_IPYou should be able to log in without entering a password.
3. Create a new user (optional)
Note
This step is optional. If you do not want to create a separate user, you can skip this step and continue working as root.
Optionally, you can create a separate user instead of logging in as root.
adduser myuseradduser myuserGrant the user sudo rights:
usermod -aG sudo myuserusermod -aG sudo myuserCopy the SSH key to the new user:
mkdir -p /home/myuser/.ssh
cp ~/.ssh/authorized_keys /home/myuser/.ssh/authorized_keys
chown -R myuser:myuser /home/myuser/.ssh
chmod 700 /home/myuser/.ssh
chmod 600 /home/myuser/.ssh/authorized_keysmkdir -p /home/myuser/.ssh
cp ~/.ssh/authorized_keys /home/myuser/.ssh/authorized_keys
chown -R myuser:myuser /home/myuser/.ssh
chmod 700 /home/myuser/.ssh
chmod 600 /home/myuser/.ssh/authorized_keysTest
Test the login with the new user before continuing:
ssh myuser@YOUR_SERVER_IPssh myuser@YOUR_SERVER_IP4. Disable root login and password authentication
Open the SSH configuration:
sudo nano /etc/ssh/sshd_configsudo nano /etc/ssh/sshd_configFind and change the following line:
PasswordAuthentication noPasswordAuthentication noIf you created a separate user in step 3, you can also disable root login:
PermitRootLogin noPermitRootLogin noImportant
Make sure your SSH key is working and you can log in via SSH key before you make these changes. Otherwise you will lock yourself out!
Save with Ctrl + O, close with Ctrl + X and restart the SSH service:
sudo systemctl restart sshdsudo systemctl restart sshd5. Change SSH port
By default SSH runs on port 22. Changing this reduces automated brute-force attacks.
Open the SSH configuration:
sudo nano /etc/ssh/sshd_configsudo nano /etc/ssh/sshd_configFind the line #Port 22 and change it to:
Port 2222Port 2222Note
Choose a port between 1024 and 65535 that is not already in use. In this example we use 2222.
If you are using UFW, allow the new port before restarting:
sudo ufw allow 2222/tcpsudo ufw allow 2222/tcpRestart the SSH service:
sudo systemctl restart sshdsudo systemctl restart sshdFrom now on, connect with:
ssh -p 2222 root@YOUR_SERVER_IPssh -p 2222 root@YOUR_SERVER_IPImportant
Do not close your current SSH session until you have successfully connected in a new terminal using the new port!
Summary
| Measure | Effect |
|---|---|
| SSH key | Secure authentication without passwords |
| New user | No direct root access |
| Disable root login | Blocks root login attempts |
| Disable password auth | Prevents brute-force attacks |
| Change SSH port | Reduces automated attacks |