mobile wallpaper 1mobile wallpaper 2mobile wallpaper 3mobile wallpaper 4
442 words
2 minutes
SSH Key Security Guide: Five Steps to Prevent Server Hacks
2025-11-05

Any Linux server exposed to the public internet suffers thousands of brute-force attacks every single day. If you are still using a root password to log in, it’s like leaving your house keys under the doormat.

This article will teach you how to completely close the password login entryway by configuring SSH key pairs, leaving hackers with nowhere to enter.

1. Principle: Why are Keys Safer than Passwords?#

  • Passwords: Also known as “Something you know”. They can be guessed, cracked via dictionary attacks, or intercepted by a man-in-the-middle.
  • Private Keys: Also known as “Something you have”. Using asymmetric encryption algorithms (such as Ed25519 or RSA). Only the person possessing the private key file can decrypt the challenge code sent by the server.

2. Generate High-Strength Key Pairs (Ed25519)#

Although RSA is a well-established standard, in 2026, it is recommended to use the shorter, faster, and safer Ed25519 algorithm.

Run this in your local (Mac/Windows) terminal:

ssh-keygen -t ed25519 -C "your_email@example.com"
  • This generates id_ed25519 (Private key, absolutely do not leak) and id_ed25519.pub (Public key).
  • Strongly recommended: Set a passphrase. This way, even if the private key file is stolen, it cannot be used without the password.

3. Deploy the Public Key to the Server#

Using the ssh-copy-id command is the simplest method:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server_ip

If configuring manually, you append the contents of the public key to the server’s ~/.ssh/authorized_keys file.

4. The Key Step: Disable Password Login#

After uploading the public key and confirming successful login, you must disable password login; otherwise, all the previous work is in vain.

Edit the server’s /etc/ssh/sshd_config:

# Disable root login (Optional but recommended)
PermitRootLogin no
# Disable password authentication (Must do)
PasswordAuthentication no
# Disable empty passwords
PermitEmptyPasswords no
# Enable public key authentication
PubkeyAuthentication yes

Restart the SSH service:

sudo service ssh restart

⚠️ Critical Security Warning (Life-saving Tip)#

Before executing the restart command to restart the SSH service, do not close your current terminal window! Please open a new terminal window to try connecting to the server.

  • If successful: Congratulations, configuration complete.
  • If it fails: You can still save it! In the original window, revert the sshd_config changes and restart the service again.

If you close everything and can’t connect, you’ll have to rely on the cloud provider’s web console (VNC/Console) for emergency access.

5. Advanced Protection#

To make it impregnable, you can also:

  1. Change the default port: Change the SSH port from 22 to something uncommon (e.g., 22222) to filter out 99% of script scans.
  2. Fail2Ban: Install Fail2Ban software. When it detects someone failing to log in consecutively for N times, it automatically blacklists their IP at the firewall level.

Summary#

There is no absolute security, only cost. By configuring SSH keys and disabling passwords, we raise the attacker’s cracking cost from “running a dictionary” to the astronomical level of “breaking an encryption algorithm.” This is a fundamental skill for every server administrator.

Share

If this article helped you, please share it with others!

SSH Key Security Guide: Five Steps to Prevent Server Hacks
https://blog.levifree.com/posts/ssh-key-security/
Author
LeviFREE
Published at
2025-11-05
License
CC BY-NC-SA 4.0

Some information may be outdated

Table of Contents