SSH Security & Key Management
Keys • Config • Fail2ban • Bastions
Linux servers
Created: 2026‑03‑17
Locking Down SSH the Right Way

SSH is the front door to your server. This guide walks through keypair generation, disabling password logins, optional port changes, Fail2ban integration, SSH config files, agent forwarding, and ProxyJump for bastion hosts.

Keypairs Fail2ban ~/.ssh/config Bastion Hosts
local@workstation
$ ssh-keygen -t ed25519
$ ssh-copy-id user@server
$ ssh user@server
1. SSH Keypair Generation
Client side

SSH keys replace passwords with cryptographic authentication. You generate a keypair on your workstation, then copy the public key to the server. The private key never leaves your machine.

Generate a modern key (ed25519)

ssh-keygen -t ed25519 -C "your_email@example.com"

Accept the default path (~/.ssh/id_ed25519) and choose a strong passphrase.

Copy your public key to the server

ssh-copy-id user@server.example.com

If ssh-copy-id is not available, append manually:

cat ~/.ssh/id_ed25519.pub | ssh user@server.example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
2. Disabling Password Logins
Server side

Once key authentication works, disable password logins to block brute‑force attacks and leaked credentials from being used against your server.

Edit sshd_config

sudo nano /etc/ssh/sshd_config

Set or update these lines:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication yes

Then restart SSH:

sudo systemctl restart ssh

Always keep an existing SSH session open while testing changes so you don’t lock yourself out.

3. Changing SSH Port (Optional)
Obscurity layer

Changing the SSH port reduces noise from automated scans but is not a substitute for keys and proper hardening. Treat it as a minor extra layer, not primary security.

Change the port

sudo nano /etc/ssh/sshd_config
Port 2222

Update your firewall:

sudo ufw allow 2222/tcp
sudo ufw delete allow ssh

Restart SSH:

sudo systemctl restart ssh

Always verify you can connect on the new port before closing your original session.

4. Fail2ban Integration
Brute‑force defense

Fail2ban monitors log files for repeated failed login attempts and bans offending IPs using your firewall (UFW, iptables, or nftables).

Install Fail2ban

sudo apt update
sudo apt install fail2ban

Basic jail for SSH

sudo nano /etc/fail2ban/jail.local
[sshd]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5

Restart Fail2ban:

sudo systemctl restart fail2ban

Check status

sudo fail2ban-client status sshd
5. SSH Client Config (~/.ssh/config)
Quality of life

The ~/.ssh/config file lets you define shortcuts, default usernames, ports, keys, and jump hosts. This is essential for managing multiple servers cleanly.

Create or edit config

nano ~/.ssh/config

Example: simple host entry

Host web-prod
    HostName server.example.com
    User deploy
    Port 22
    IdentityFile ~/.ssh/id_ed25519

Now you can connect with:

ssh web-prod
6. SSH Agent & Agent Forwarding
Chained access

The SSH agent holds your decrypted private key in memory so you don’t re‑enter your passphrase constantly. Agent forwarding lets a remote host use your local agent to authenticate to another host without copying keys.

Start agent and add key

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

Enable forwarding in config

Host bastion
    HostName bastion.example.com
    User nicole
    ForwardAgent yes

Only enable agent forwarding to hosts you fully trust. A compromised host could abuse your agent.

7. ProxyJump & Bastion Hosts
Network design

A bastion host is a hardened entry point into a private network. SSH’s ProxyJump option lets you hop through a bastion in a single command without manual port forwarding.

Config with ProxyJump

Host bastion
    HostName bastion.example.com
    User nicole

Host db-internal
    HostName 10.0.0.10
    User dbadmin
    ProxyJump bastion

Connect directly to the internal host:

ssh db-internal