SSH is your primary door into a server — and the most heavily probed port on the internet. Before you worry about Nginx or PHP, lock this down first. If someone can guess your root password, nothing else matters.
Disclaimer: This guide is for single-admin servers. Multi-user environments and shared hosting bring additional concerns that aren't covered here.
Step 1: Create an unprivileged user
If your server was provisioned with only a root account, create a regular user before disabling root login. On Debian/Ubuntu:
useradd -m -s /bin/bash yourusername
passwd yourusername
On RHEL/Fedora:
useradd -m yourusername
passwd yourusername
Verify you can log in as this user and sudo -i or su - to root before proceeding.
Step 2: Generate an SSH key pair
On your local machine (macOS, Linux, or WSL):
ssh-keygen -t ed25519 -C "your-comment-here"
Ed25519 is the current best choice — faster than RSA, smaller key size, and not vulnerable to the side-channel concerns that affect ECDSA. Avoid RSA below 3072 bits and avoid DSA entirely (deprecated in OpenSSH 7.0+).
This creates two files:
~/.ssh/id_ed25519— Your private key. Never share this. Set a strong passphrase on it.~/.ssh/id_ed25519.pub— Your public key. This goes on servers you want to access.
Step 3: Copy your public key to the server
ssh-copy-id yourusername@yourserver.com
If your server doesn't have ssh-copy-id, do it manually:
cat ~/.ssh/id_ed25519.pub | ssh yourusername@yourserver.com \
"mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Test the key login before disabling password authentication:
ssh -i ~/.ssh/id_ed25519 yourusername@yourserver.com
Step 4: Harden sshd_config
Edit /etc/ssh/sshd_config. Make a backup first:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Apply these changes one at a time, reloading sshd and testing after each:
# Disable root login entirely
PermitRootLogin no
# Disable password authentication (public key only)
PasswordAuthentication no
# Disable empty passwords
PermitEmptyPasswords no
# Disable challenge-response (sometimes used as a fallback by PAM)
ChallengeResponseAuthentication no
# Only allow specific users to log in via SSH
AllowUsers yourusername
# Limit authentication attempts per connection
MaxAuthTries 3
# Reduce the login grace period (default 120 seconds is generous)
LoginGraceTime 30
# Disable X11 forwarding unless you specifically need it
X11Forwarding no
# Disable SSH protocol 1 (only protocol 2 is supported on modern systems)
Protocol 2
# Drop idle connections after 5 minutes of inactivity
ClientAliveInterval 300
ClientAliveCountMax 0
After each set of changes, run sshd -t to verify your config has no syntax errors, then reload:
sshd -t && systemctl reload sshd
Keep your current SSH session open during testing — open a second terminal to try logging in with the new settings. If you lock yourself out, you can still revert from the first session.