5 Best Security Practices for OpenSSH Servers

SSH (Secure Shell) is an open-source network protocol for connecting local and remote Linux servers to transfer files, make remote backups, run remote commands, and perform other network-related tasks using the SCP or sftp commands between two servers connected over a secure network channel.

In this article, I’ll show you some easy tools and strategies for improving the security of your ssh server. Here you’ll find some helpful tips for securing and preventing brute force and dictionary attacks on ssh servers.


DenyHosts is an open-source log-based intrusion prevention security script for SSH servers written in the Python programming language. It is designed to be used by Linux system administrators and users to monitor and analyze SSH server access logs for failed login attempts such as dictionary-based and brute-force attacks.

After a certain number of failed login attempts, the script bans IP addresses and prevents such attackers from obtaining access to the server.

Features of DenyHosts

  • Keeps track of all successful and failed login attempts in /var/log/secure and filters them.
  • Keeps track of the user’s and the offender host’s failed login attempts.
  • When an unsuccessful login attempt occurs, it keeps an eye on all current and non-existent users (e.g. xyz).
  • Keeps track of each offending user, host, and suspicious login attempts, and bans that host IP address by adding an entry to the /etc/hosts.deny file if there are many login failures.
  • Sends an email warning of newly blacklisted hosts and suspect logins at the user’s discretion.
  • Additionally, all valid and invalid unsuccessful user login attempts are kept in separate files, making it easier to determine which valid or invalid user is being targeted. So that we can remove or change the password on that account.


Fail2ban is one of the most widely used open-source intrusion detection and prevention frameworks written in Python. It works by looking for too many unsuccessful logins attempts in log files like /var/log/secure, /var/log/auth.log, /var/log/pwd fail, and so on.

Fail2ban is used to update the hosts.deny file in Netfilter/iptables or TCP Wrapper to refuse an attacker’s IP address for a predetermined period of time. It can also unban a blacklisted IP address for a period of time determined by the administrators. A minute of unbanning, on the other hand, is more than adequate to cease such malicious attacks.

Features of Fail2Ban

  • Highly configurable and multi-threaded.
  • Rotation of log files is supported, and it can manage numerous services such as (sshd, vsftpd, apache, etc).
  • Monitors log files for patterns that are known and unknown.
  • To ban attackers’ IP addresses, Netfilter/Iptables and the TCP Wrapper (/etc/hosts.deny) table are used.
  • When a certain pattern has been discovered for the same IP address more than X times, it executes scripts.

3. Disable Root Login

By default, Linux systems are set up to allow ssh remote logins for everyone, including the root user, allowing anyone to connect into the system and get root access. Despite the fact that ssh server provides a more secure method of disabling or enabling root logins, it’s always a good practice to disable root access to keep servers safer.

Many people are attempting to brute force root accounts via SSH assaults by repeatedly submitting different account names and passwords. If you’re a system administrator, you can look at the ssh server logs for a list of failed login attempts. The main cause of a large number of failed login attempts is the use of weak passwords, which makes sense for hackers and attackers to try.

You’re probably secure if you use strong passwords, but it’s best to disable root login and use a regular separate account to log into instead, and then use sudo or su to acquire root access when needed.

4. Display SSH Banner

This is one of the most basic capabilities accessible from the inception of the ssh project, yet I’ve never seen anyone utilize it. In any case, I consider it a significant and valuable feature that I’ve implemented on all of my Linux systems.

This isn’t for security reasons, but it does have the advantage of displaying ssh warning messages to unauthorized users and welcoming messages to authorized users before the password prompt and after the user logs in.

5. SSH Password-less Login

With SSH keygen, an SSH password-less login will establish a trust connection between two Linux servers, making file transfer and synchronization considerably easier.

This is particularly beneficial if you need to perform remote automated backups, remote scripting execution, file transfer, remote script administration, and so on without having to enter the password every time.

Feature of SSH Password-less

  • A user sends a server their username and public key.
  • The server responds with a message that is encrypted with the user’s public key.
  • With the server’s private key, the user decrypts the message.
  • The user transmits the decrypted message to the server, which checks to see if it’s valid.
  • The server authenticates the user and establishes a secure connection between the two devices if the message matches the one on the server.
  • Users do not need to redo the username input process because future connections are automated.