Secure Shell (SSH) is one of the most important components for managing your VPS USA. It allows users to securely connect to remote servers, execute commands, and manage files through an encrypted channel. However, SSH is also one of the most targeted services by hackers. If left unsecured, it can expose your VPS to brute-force attacks, unauthorized access, and data theft.
In this comprehensive guide, we’ll walk through effective methods to secure SSH access on your VPS USA and protect your system from potential threats. Whether you’re a system administrator, developer, or business owner using servers from 99RDP, these techniques will help ensure your VPS remains safe and resilient.
Why SSH Security Matters
SSH acts as the gateway to your VPS. Once an attacker gains access via SSH, they can control your system completely. This includes:
-
Installing malicious software
-
Accessing confidential files
-
Modifying configurations
-
Stealing credentials and data
In most cases, hackers use automated bots that scan thousands of IP addresses for open SSH ports and attempt brute-force attacks using common username and password combinations. Therefore, securing SSH isn’t optional — it’s essential.
Step 1: Use Strong and Unique Passwords
The simplest but often overlooked security measure is setting a strong password. Weak passwords like “admin123,” “root,” or “password” make it easy for attackers to guess your credentials.
Tips for Creating a Strong Password:
-
Use at least 12–16 characters
-
Include upper and lower case letters, numbers, and special symbols
-
Avoid dictionary words or personal information
-
Change passwords periodically
-
Use a password manager for securely storing credentials
For best results, consider disabling password authentication entirely and switching to SSH key-based authentication (discussed in the next step).
Step 2: Enable SSH Key Authentication
SSH keys are far more secure than passwords. They use a pair of cryptographic keys — a private key (stored on your local device) and a public key (stored on your VPS USA). When you log in, the VPS verifies the private key without transmitting it over the network.
How to Set Up SSH Key Authentication:
-
Generate SSH Keys on your local machine:
ssh-keygen -t rsa -b 4096You can also use ed25519 for even stronger encryption:
ssh-keygen -t ed25519 -
Copy the Public Key to Your VPS:
ssh-copy-id user@your_vps_ip -
Disable Password Authentication for additional security:
Open the SSH configuration file:sudo nano /etc/ssh/sshd_configFind and modify these lines:
PasswordAuthentication no PubkeyAuthentication yes -
Restart SSH Service:
sudo systemctl restart ssh
Once this setup is complete, only users with the private key can access the VPS.
Step 3: Change the Default SSH Port
By default, SSH runs on port 22, which is commonly targeted by bots and automated scanners. Changing this port makes it slightly harder for attackers to locate your SSH service.
To Change the SSH Port:
-
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config -
Locate the line:
#Port 22 -
Uncomment it and change it to a new port, such as 2222 or 22022:
Port 2222 -
Restart SSH:
sudo systemctl restart ssh -
Update your firewall to allow the new port:
sudo ufw allow 2222/tcp
Note: Avoid using ports below 1024 and keep a record of your new SSH port for future connections.
Step 4: Disable Root Login
Allowing direct root access via SSH is risky. If an attacker compromises the root account, they gain unrestricted control over your VPS.
To Disable Root Login:
-
Open SSH configuration:
sudo nano /etc/ssh/sshd_config -
Find the line:
PermitRootLogin yes -
Change it to:
PermitRootLogin no -
Restart the SSH service:
sudo systemctl restart ssh
Now, create a separate non-root user and assign sudo privileges to perform administrative tasks securely.
Step 5: Set Up a Firewall for SSH Protection
A firewall acts as a protective barrier between your VPS and the internet. It allows you to control incoming and outgoing traffic, ensuring only legitimate connections reach your SSH service.
Configure UFW (Uncomplicated Firewall):
-
Enable UFW:
sudo ufw enable -
Allow SSH on your chosen port:
sudo ufw allow 2222/tcp -
Deny all other unnecessary ports:
sudo ufw default deny incoming sudo ufw default allow outgoing -
Check the status:
sudo ufw status
This ensures that only authorized traffic can reach your VPS.
Step 6: Implement Fail2Ban for Brute-Force Protection
Fail2Ban automatically detects and blocks IP addresses that show malicious signs — such as multiple failed login attempts.
Install and Configure Fail2Ban:
sudo apt install fail2ban
Create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the [sshd] section:
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600
Restart the service:
sudo systemctl restart fail2ban
Now, Fail2Ban will block IPs that attempt too many failed logins, reducing brute-force attack risks.
Step 7: Restrict SSH Access by IP Address
If you connect to your VPS from a fixed IP (e.g., office or home), you can restrict SSH access to that specific IP.
Example using UFW:
sudo ufw allow from your_ip_address to any port 2222
Block all other IPs from accessing SSH:
sudo ufw deny 22/tcp
This ensures that even if someone discovers your SSH port, they cannot connect unless from your whitelisted IP.
Step 8: Use Two-Factor Authentication (2FA) for SSH
Adding two-factor authentication (2FA) adds another layer of security by requiring a temporary verification code along with your SSH key.
To Enable 2FA:
-
Install Google Authenticator PAM module:
sudo apt install libpam-google-authenticator -
Run the setup:
google-authenticator -
Answer the prompts and scan the QR code using an app like Google Authenticator or Authy.
-
Edit the SSH PAM file:
sudo nano /etc/pam.d/sshdAdd this line:
auth required pam_google_authenticator.so -
Enable 2FA in the SSH configuration:
sudo nano /etc/ssh/sshd_configSet:
ChallengeResponseAuthentication yes -
Restart SSH:
sudo systemctl restart ssh
Now, every SSH login will require a time-based OTP code — making your VPS USA nearly impossible to breach with brute-force attacks.
Step 9: Monitor SSH Logs Regularly
Keep an eye on your SSH logs to identify any suspicious activity. Monitoring helps you detect unauthorized attempts early and take action promptly.
View SSH logs:
sudo cat /var/log/auth.log | grep sshd
You can also integrate monitoring tools like Grafana and Prometheus (see 99RDP’s VPS Monitoring Guide) for visual analytics and automated alerts.
Step 10: Keep Your VPS and SSH Packages Updated
Security patches are released regularly to fix vulnerabilities. Keeping your VPS up-to-date ensures you’re protected against the latest threats.
Update your VPS:
sudo apt update && sudo apt upgrade -y
For CentOS or RHEL:
sudo yum update -y
Always restart your SSH service after major updates to ensure new configurations take effect.
Final Thoughts
Securing SSH access on your VPS USA is a critical step toward maintaining server integrity and data protection. By combining key-based authentication, port modifications, firewalls, and 2FA, you can significantly reduce the risk of unauthorized access.
If you’re managing multiple servers or need reliable, pre-secured VPS solutions, check out 99RDP. Their VPS USA hosting plans come with advanced security features, easy setup options, and 24/7 support — making it easier to protect your infrastructure from potential threats.
With the right configuration and consistent monitoring, you can enjoy peace of mind knowing that your SSH access is truly secure.
Reference:
For high-performance and secure VPS hosting solutions, visit 99RDP — your trusted partner for VPS, RDP, and dedicated server services.

No comments:
Post a Comment