This can not be a complete guidance, but it is a start. At least these are some things you should do everytime you setup a new server. Another good guide, which also explains how to setup a certificate based auth can be found here.

1. Disallow Root Login via SSH

  • Create a new user and add him to sudo group
adduser friendlyuser
usermod -aG sudo friendlyuser
  • disallow login of root via ssh, therefore open up /etc/ssh/sshd_config and uncomment or add this line
PermitRootLogin no

2. Setup UFW

UFW is a firewall. The following commands will:

  • list all available configuration settings

  • allow SSH traffic

  • enable the UFW firewall

  • check its status and all active rules

sudo ufw app list
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

To allow any port you like, just use the allow command like this:

sudo ufw allow 1234

UFW will then update the rules

3. Setup Fail2Ban

It is useful to install Fail2Ban because as soon as you have port 22 open, bots will start bruteforcing it. The following is only a very rough getting started. For more infos please visit the vendors website.

  • Install Fail2Ban
sudo apt-get install fail2ban 
  • Configure it in /etc/fail2ban/fail2ban.local, you can also have a look at /etc/fail2ban/fail2ban.conf for more samples. You could do it like this:
ignoreip =
bantime  = 3600
maxretry = 5 

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5 
then restart the service
sudo /etc/init.d/fail2ban restart
  • then restart the service
sudo /etc/init.d/fail2ban restart