Securing SSH on Your VPS: Key-Based Login, Custom Ports, and More

Meta Description: SSH is the most common entry point to your VPS—and often the most targeted. Learn how to secure your server with SSH key authentication, custom ports, and other must-know practices.

Introduction: SSH Is Powerful — and Vulnerable

When you spin up a VPS, Secure Shell (SSH) is your primary way to connect and control the server. It’s powerful, fast, and efficient — but it’s also the #1 target for bots and brute-force attacks.

Leaving SSH wide open with default settings is like leaving your front door unlocked with a “Welcome!” mat.

Fortunately, it’s easy to lock down SSH and protect your VPS with a few beginner-friendly best practices.

1. Use SSH Key-Based Authentication (Not Just Passwords)

SSH keys are a safer alternative to passwords — and nearly impossible to brute-force.

Why it matters:

• Passwords can be guessed

• SSH keys are cryptographic and highly secure

• Keys are easier to manage and automate securely

Once your key is installed:

• You connect with ssh -i ~/.ssh/mykey user@your-server

• You can safely disable password logins entirely

️ If there’s one tip to follow, make it this one.

2. Change the Default SSH Port (22)

Bots constantly scan the internet for open port 22. You can avoid 90% of automated attacks by simply changing the port.

For example, switch SSH to port 2222, 30022, or any non-standard number.

Benefits:

• Stops basic bots

• Reduces log clutter from failed login attempts

• Adds a simple layer of “security through obscurity”

Just make sure you update your firewall rules and local connection settings to match.

3. Disable Root Login

The root user is the most privileged — and most targeted.

Instead:

• Create a new user (e.g., admin or deploy)

• Give that user sudo privileges

• Disable root login in your SSH config

Why this works:

• Attackers can’t brute-force the root account

• Your access is still flexible and secure

‍ You’re still in control — just with better protection.

4. Limit Login Attempts With Fail2Ban

Fail2Ban is a tool that monitors SSH logs and bans IPs after too many failed login attempts.

Advantages:

• Blocks brute-force bots in real time

• Automatically bans abusive IPs

• Reduces server load from repeated attacks

Think of it as an automatic bouncer at your server’s front door.

5. Restrict SSH Access by IP Address

If you or your team connect from fixed IP addresses (home, office, VPN), you can lock SSH access to just those IPs.

Options:

• Use firewall rules (UFW, iptables)

• Configure your VPS provider’s network firewall

Bonus:

• Even if your SSH port is discovered, it won’t accept unknown IPs

️ Fewer open doors = fewer attack surfaces.

6. Keep SSH (and Everything Else) Updated

SSH vulnerabilities are rare — but when they appear, they’re serious.

Best practices:

• Keep your Linux distro updated

• Enable automatic security updates

• Restart the SSH service after major changes

⚙️ Outdated software is a hacker’s best friend.

7. Use Strong SSH Key Passphrases

Even if someone steals your private key, they can’t use it without the passphrase — unless you skipped it.

Make sure your SSH key:

• Is protected with a long, unique passphrase

• Isn’t left on public or unsecured devices

• Can be stored securely with a password manager or hardware key

Don’t treat SSH keys like passwords — treat them better.

⚙️ 8. Enable Two-Factor Authentication (2FA) for SSH (Advanced)

If you want maximum security, set up 2FA on SSH using tools like:

• Google Authenticator

• Duo Security

• Yubikey (hardware key)

This adds a second layer of login verification, even after SSH keys are used.

It’s not necessary for every user — but it’s powerful protection for sensitive servers.

✅ Final Thoughts: SSH Security Is Step One of Server Security

If you’re using a VPS, SSH is your gatekeeper — and a smart gatekeeper should be locked, monitored, and protected.

Here’s a quick checklist to secure SSH on your VPS:

✅ Use SSH key authentication
✅ Change the default SSH port
✅ Disable root login
✅ Install and configure Fail2Ban
✅ Restrict access by IP
✅ Keep everything updated
✅ Use strong key passphrases
✅ Enable 2FA (optional for advanced users)

Secure it now, and save yourself headaches later.