SSH Security Configuration Settings

Last updated February 17, 2026
Become an author

Introduction

This guide explains different methods to secure your Webdock SSH server. SSH or secure shell is a communication protocol used to administer the remote servers securely. We will discuss the following options in the SSH configuration file which impact security:

  • Changing the default SSH port
  • Using public/private key pair instead of password
  • Allow a single IP to login
  • Setting up idle timeout
  • Setting up limited password retries
  • Disabling X11 forwarding
  • Disable root login

Prerequisites

Note: “sshd” is the service name on some distros. So if “ssh” service is not found and can’t be restarted, you need to restart “sshd” instead

Using public/private key pair instead of password

Please note: This is already the installed default in Ubuntu and thus on Webdock Servers. You can enable Password authentication (not recommended) on the Shell Users screen in Webdock.
Using a public/private key pair to access an SSH server is more secure than using password based authentication. A password protected SSH server is more vulnerable to the brute force attacks.

Open the /etc/ssh/sshd_config file.

$ sudo nano /etc/ssh/sshd_config

And set the PasswordAuthentication option to no.

PasswordAuthentication no

Restart the SSH server to apply changes.

$ sudo systemctl restart ssh

Allow only a single IP to login

The default configuration of the SSH server allows the SSH server to accept connection from any IP address. Restrict your SSH server to accept the connections from your trusted IP addresses only. You do this by configuring your firewall to only accept connections from a specific IP to a specific port on your server.

Please note: Make sure your trusted IP addresses are static. Otherwise your trusted IP may change and you will not be able to access your server.

Warning: Limiting to a single IP will break our Web SSH Terminal functionality. You can allow 157.90.77.137 and 2a01:4f8:141:4398::607 which should retain access through Web SSH (as of late 2021) but these IPs may change at any time.On Webdock Perfect Server stacks where we use UFW and your IP is 192.168.0.200 and SSH is on the default port 22, you would execute:

$ sudo ufw allow from 192.168.0.200 to any port 22

Keepalive / timeout settings

On Webdock Perfect Server stacks we keep the connection alive by default with the below settings. But you can remove these lines if you do not want to keep connections alive and time them out automatically. On a stock Ubuntu install, connections will be dropped after a minute or two of inactivity automatically.

Open the SSH configuration file.

$ sudo nano /etc/ssh/sshd_config

And set the value of TCPKeepAlive, ClientAliveInterval and the ClientAliveCountMax options.

TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3

Before dropping the connection, the SSH server will check the status of the client after 60 seconds of inactivity and send null packets to keep the connection alive. If no response is received the server will repeat this process two times before terminating the connection.

Restart the SSH server to apply changes.

$ sudo systemctl restart ssh

Setting up limited password retries

Setting up limited password tries is a good way to prevent your SSH server from brute force attacks., in addition to fail2ban which does this automaticaly for SSH The SSH server provides configuration to set the number of authentication attempts permitted per connection. Open the SSH configuration file.

$ sudo nano /etc/ssh/sshd_config

And set the value of the MaxAuthTries option.

MaxAuthTries 3

The SSH server will allow only 3 login attempts per connection.

Restart the SSH server to apply changes.

$ sudo systemctl restart ssh

Disable root login

Using the root user to access the SSH server is not a good practice. Always access the SSH server using non privileged user accounts.

Please note: Root login is already disabled by default in Ubuntu and thus also on Webdock servers.

Open the configuration file.

$ sudo nano /etc/ssh/sshd_config

And disable the root login using the PermitRootLogin option.

PermitRootLogin no

Now the root login is disabled and the SSH server can only be accessible by a non root user.

Restart the SSH server to apply changes.

$ sudo systemctl restart ssh

Conclusion

In this tutorial we discussed how we can harden the security of our SSH server by modifying various security related configuration on a typical Ubuntu server.

Related Articles

How to change WebSSH Port?

Instructions to change WebSSH port
Last updated February 17, 2026

Configuring UFW and Fail2Ban to Mitigate Basic DDos Attacks

Instructions to protect your server from basic DDos attacks using UFW and Fail2Ban
Last updated December 4, 2025

Enhancing Nginx Security with IP Filtering and Password

A guide to enhance Nginx security with IP filtering (specific IP, and, IP ranges) and Password
Last updated December 4, 2025

How to Check Open Ports on Ubuntu

Learn 4 easy methods to check for open ports on your Ubuntu server using standard command-line tools.
Last updated February 12, 2026

How to configure Fail2Ban for common services

How fail2ban can be configured for common services as well as how to utilize the fail2ban CLI tools to check the status of various jails, unbanning users and more.
Last updated December 4, 2025

How to Scan Your Webdock Server for Malware and Viruses

This guide provides basic step-by-step instructions to install various tools to scan your server for malware and viruses.
Last updated December 4, 2025

How to Secure Nginx with Naxsi Firewall on Ubuntu 18.04 VPS

This article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Bionic 18.04.
Last updated December 4, 2025

How to configure Security Headers in Nginx and Apache

Here we outline which security headers are important to set in different scenarios in Nginx and Apache.
Last updated February 12, 2026

How to enable encryption for MariaDB

Enable Encryption of your database data with MariaDB as well as force all new tables created to be encrypted.
Last updated December 23, 2025

How to Secure Nginx with Naxsi Firewall on Ubuntu 20.04 VPS

This article describes how you can set up and configure Naxsi firewall on a Webdock LEMP stack on Ubuntu Focal 20.04.
Last updated December 4, 2025

How to work with your firewall (UFW – Uncomplicated Firewall)

In this article we show how UFW – or Uncomplicated Firewall – works along with common commands and usage examples.
Last updated December 23, 2025

Secure VPS Communication with SSL and UFW

A detailed guide to securely communicate with your servers without requiring a VLAN setup.
Last updated December 4, 2025

Securing Ubuntu: How to Detect System Vulnerabilities

Detect system vulnerabilities using Vuls
Last updated November 21, 2025

Server Security Checklist

In this article we list a number of things you should check if you are setting up a server from scratch as well as a few things which can enhance security on our Perfect Server Stacks.
Last updated December 23, 2025

Step-by-Step Guide to Enable 2FA on Linux with SSH Keys

Securing SSH even further with 2FA
Last updated December 23, 2025
Content
expand_more
chat box icon
Close
combined chatbox icon

Welcome to our Chatbox

Reach out to our Support Team or chat with our AI Assistant for quick and accurate answers.
webdockThe Webdock AI Assistant is good for...
webdockChatting with Support is good for...