How to setup SSH on VPS Centos?

Server security isn't optional in today's threat landscape. Whether you're hosting a personal project or managing enterprise infrastructure, securing remote access to your Virtual Private Server (VPS) is critical. SSH (Secure Shell) provides the foundation for this security, offering encrypted communication that protects against eavesdropping and unauthorized access. This comprehensive guide walks you through every step of hardening your SSH configuration.

What Makes SSH Essential for VPS Security?

SSH is a cryptographic network protocol that establishes secure, encrypted connections between clients and servers. Unlike legacy protocols such as Telnet or FTP, SSH encrypts all data transmission, including authentication credentials, command execution, terminal output, and file transfers via SFTP or SCP protocols.

The protocol operates through public-key cryptography, creating an encrypted tunnel that prevents man-in-the-middle attacks and data interception. By default, SSH operates on port 22, though security best practices recommend changing this to reduce automated attack attempts from bots scanning for vulnerable servers.

Properly configured SSH serves as your primary defense against brute-force attacks and unauthorized system access. It enables secure remote administration, automated script execution, and file management without requiring physical server access—essential capabilities for modern VPS management. Without SSH protection, your server becomes vulnerable to credential theft, malicious code injection, and complete system compromise.

How Do You Install SSH on Your Server?

Most Linux distributions include OpenSSH by default, but minimal installations or custom builds may require manual setup. The installation process varies slightly between distributions but follows similar patterns.

For Ubuntu/Debian systems:

sudo apt update && sudo apt install openssh-server

sudo apt install openssh-client # if needed for local machine

For CentOS/RHEL systems:

sudo yum install openssh-server openssh-clients

# or for newer versions

sudo dnf install openssh-server openssh-clients

Start and enable the SSH service:

sudo systemctl start ssh

sudo systemctl enable ssh

sudo systemctl status ssh # verify service is running

The enable command ensures SSH starts automatically during system boot, maintaining remote access capabilities after server restarts. Always verify the service status before proceeding with configuration changes.

What Are the Critical SSH Configuration Changes?

The default SSH configuration prioritizes accessibility over security, making immediate hardening essential. All modifications occur in the main configuration file, which controls every aspect of SSH behavior.

sudo nano /etc/ssh/sshd_config

Essential security modifications:

Disable root login access:

PermitRootLogin no

This prevents direct root access, forcing attackers to compromise a regular user account first, then escalate privileges—significantly increasing attack complexity.

Change the default port:

Port 2222

Moving away from port 22 eliminates most automated scanning attempts. Choose a port above 1024 to avoid conflicts with system services.

Restrict user access:

AllowUsers yourusername anotheruser

Explicitly defining allowed users creates a whitelist approach, automatically blocking all other accounts.

Additional critical settings:

  • PasswordAuthentication no (when using SSH keys)
  • MaxAuthTries 3 (limit failed login attempts)
  • ClientAliveInterval 300 (automatic timeout for idle connections)
  • MaxSessions 2 (limit concurrent sessions per connection)
  • Protocol 2 (ensure modern protocol version)

After making changes, always test the configuration syntax:

sudo sshd -t # test configuration for errors

sudo systemctl restart ssh

Test your new configuration from another terminal before closing your current session:

ssh yourusername@your-server-ip -p 2222

How Can Firewalls Enhance Your SSH Security?

A properly configured firewall provides an additional security layer by controlling network traffic to your server. Firewalls act as gatekeepers, examining incoming connections and blocking unauthorized access attempts before they reach your SSH service.

Popular firewall options include UFW (Uncomplicated Firewall) for beginners, firewalld for CentOS/RHEL systems, and iptables for advanced configurations requiring granular control.

UFW configuration example:

sudo ufw default deny incoming # block all incoming by default

sudo ufw default allow outgoing # allow outgoing connections

sudo ufw allow 2222/tcp # allow your custom SSH port

sudo ufw enable

sudo ufw status verbose # verify detailed configuration

Advanced iptables rules:

# Allow established connections

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH on custom port

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Log dropped packets for monitoring

sudo iptables -A INPUT -j LOG --log-prefix "DROPPED: "

Always ensure your firewall rules allow SSH access on your chosen port before enabling the firewall to avoid complete lockout from your server.

Should You Implement IP Address Restrictions?

For environments requiring maximum security, IP-based access control adds another crucial protection layer. This approach limits SSH access to specific IP addresses or network ranges, effectively creating a network-level whitelist.

Using iptables for comprehensive IP restrictions:

# Allow SSH from specific IP addresses

sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 2222 -j ACCEPT

sudo iptables -A INPUT -p tcp -s 10.0.0.0/24 --dport 2222 -j ACCEPT

# Block all other SSH attempts

sudo iptables -A INPUT -p tcp --dport 2222 -j DROP

Important implementation considerations:

  • Always maintain alternative access methods (console access, recovery options) before implementing strict IP restrictions
  • Use dynamic DNS services if your IP address changes frequently
  • Consider VPN access for remote teams with changing locations
  • Document all allowed IP ranges for future reference
  • Implement logging to monitor blocked connection attempts

What About IPv6 Configuration?

Modern networks increasingly rely on IPv6, making dual-stack configuration essential for comprehensive security. IPv6 attacks can bypass IPv4-only security measures, creating dangerous vulnerabilities.

Configure ip6tables to mirror your IPv4 security rules:

# Basic IPv6 SSH protection

sudo ip6tables -A INPUT -p tcp --dport 2222 -j ACCEPT

sudo ip6tables -A INPUT -p tcp --dport 22 -j DROP

# Allow established IPv6 connections

sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Monitor both IPv4 and IPv6 traffic patterns to ensure comprehensive security coverage and identify potential attack vectors.

How Do You Make These Changes Permanent?

Firewall rules require persistence across system reboots. Without proper saving, your security configurations disappear during restart, leaving your server vulnerable.

Debian/Ubuntu systems:

sudo apt install iptables-persistent

sudo netfilter-persistent save

sudo systemctl enable netfilter-persistent

CentOS/RHEL systems:

sudo service iptables save

sudo systemctl enable iptables

sudo chkconfig iptables on # for older systems

Test persistence by rebooting your server and verifying all rules remain active.

Additional SSH Security Measures

Beyond basic SSH configuration, several advanced measures enhance protection.

Replace password authentication with SSH key authentication using ssh-keygen -t ed25519 for modern encryption. Add two-factor authentication through Google Authenticator for an extra verification layer.

Install Fail2ban to automatically block IPs after failed attempts: sudo apt install fail2ban and sudo systemctl enable fail2ban. This prevents brute force attacks.

Conduct regular security audits by monitoring access logs, updating configurations, and reviewing user permissions monthly.

What Common Mistakes Should You Avoid?

Several configuration errors can compromise your security efforts and create dangerous vulnerabilities:

Never disable SSH access without establishing alternative entry methods such as console access or recovery procedures. Always test new configurations in separate terminal sessions before applying restrictive rules. Avoid using default ports, weak passwords, or outdated encryption algorithms.

Don't forget to update firewall rules when changing SSH ports, and never apply iptables rules without understanding their full impact. Keep SSH software updated to patch security vulnerabilities promptly.

How Do You Monitor and Maintain SSH Security?

Regular monitoring ensures your security measures remain effective against evolving threats:

Review SSH logs regularly using sudo journalctl -u ssh or examine /var/log/auth.log for failed login attempts. Monitor authentication patterns and investigate suspicious activity immediately.

Implement automated monitoring tools like OSSEC or Nagios for real-time security alerts. Update SSH configurations as security requirements evolve and new vulnerabilities emerge.

Conclusion: Building a Secure Foundation

Proper SSH configuration, firewall implementation, and access restrictions create essential defense layers for your VPS. Continuous maintenance is necessary for security, keep an eye on access logs and update configurations frequently. Start with these fundamentals, then advance to key-based authentication and 2FA as your expertise grows.

Leave your reviews

Share your thoughts and help us improve! Your feedback matters to us

Upload your photo for review