Vulnarex | Elite Cybersecurity Learning Platform

#Locking the Digital Door: The Hardened SSH Daemon#link

A default SSH installation is 'functional', but it is not 'secure'. Because SSH is the primary target for bots and automated scanners, the `sshd_config` file is the most important security document on a Linux server. Hardening SSH is about reducing the attack surface to the absolute minimum.

The 'Forbidden' List: What to Disable

The first step in any hardening guide is disabling high-risk features. Root login is the most targeted account; disabling it forces attackers to first compromise a low-privilege user and then attempt a privilege escalation, adding a critical layer of defense.

info

💡 Always create a 'backdoor' user with sudo access and verify their public key works before disabling root login, or you may lock yourself out of the server.

bash

# Critical Hardening Settings in /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers admin_bob admin_alice

By setting `PasswordAuthentication no`, you eliminate 99% of automated brute-force attacks. An attacker cannot guess a 256-bit Ed25519 key.

Fighting the Bots: Fail2Ban and Port Knocking

Even with keys, bots will still flood your logs with connection attempts. `Fail2Ban` monitors the logs for repeated failures and adds a temporary firewall rule to drop all packets from that IP. This prevents 'Denial of Service' on the SSH process itself.

STRICT SECURE AUDIT RULE

⚠️ Port Knocking is a 'security by obscurity' technique. It hides the SSH port entirely until a specific sequence of packets (the 'knock') is sent to other ports. While useful, it should not be your only line of defense.

Checking Fail2Ban status

root@vulnarex:~#fail2ban-client status sshd

Feature	Default Setting	Hardened Setting	Benefit
Root Login	yes / prohibit-password	no	Prevents direct root attacks
Auth Method	Password + Key	Public Key Only	Stops brute-force
Port	22	High Random Port (e.g. 2222)	Reduces log noise
Max Tries	6	3	Faster ban for attackers

The 'Sudo' Workflow

The gold standard for administration is: `SSH with Key` $ ightarrow$ `Login as Low-Priv User` $ ightarrow$ `sudo` for privileged tasks. This creates a clear audit trail of who performed what action, as every command is logged under the user's name, not just 'root'.

▪Set `PermitRootLogin no`
▪Enforce `PasswordAuthentication no`
▪Install and configure `fail2ban`
▪Change the default port to something obscure
▪Use `AllowUsers` to whitelist specific accounts

STRICT SECURE AUDIT RULE

If you change the SSH port, you must remember to open the new port in your firewall (ufw/iptables) *before* restarting the SSH service, or you will be locked out.

quiz BLOCK (★ 50 XP)

Which of the following settings is the MOST effective at stopping automated brute-force attacks on an SSH server?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The Lockdown Scenario