List of content you will read in this article:
when you have to manage your server from a different location, you need to ensure that the connection you have is secured. The SSH protocol is the perfect tool for the job as it prevents your server from being overheard or attacked by wrapping your interactions in a security layer. But how to secure VPS hosting with SSH? This is the question that we will answer in this post with a step-by-step guide.
What is SSH and why should you secure it?
SSH is short for Secure Shell and is an encrypted network protocol that has been developed to have secure communications with a remote server. With SSH, you can use the command line to access your server and transfer files while relying on the fact that no one will be able to eavesdrop on the network portion of the communication piece. Essentially, utilizing SSH will ensure that you are using a secure connection with communications that are encrypted.
If you want to learn more about secure SSH connection VPS, read MonoVM's article on What is SSH Protocol?
Prerequisites for Establishing a Secure SSH Connection
There are a few preliminary steps you need to take before the main setup procedure of secure VPS hosting with SSH.
1. Have a VPS running
Obviously, you will need a virtual server to implement it. Since SSH is a low-level system access, you will need a VPS or dedicated server to run it. If you haven’t yet purchased a virtual server, you can Buy VPS Server services and choose the right plan for your business.
2. Ensure Initial Access with Password
Once you have purchased your VPS, your provider will give you an IP address, a username (typically root), and a password. We suggest that you test whether you can log in using your credentials before doing any changing or investigating. You can use the following command in tthe erminal:
ssh root@your-server-ip
If the default SSH port (22) was changed, you will also need to specify the port number:
ssh -p 2222 root@your-server-ip
(Instead of 2222, enter the port specified by the hosting company or server settings.)
If you don't know exactly how to connect to a VPS, the article How to Connect to VPS can be a good guide.
3. Install the SSH tool on the local system
If there is no SSH client on your local device, you will not be able to establish a connection to the server. Linux and macOS come pre-installed with SSH, so it is most probably there. You can test it with the following command:
ssh -V
If it outputs the SSH version, then SSH is installed.
Windows 10 and 11 also have the OpenSSH Client tool. To confirm its presence, execute the following command in PowerShell:
ssh
It will show a list of options if it is ready to use.
On older Windows (7/8) you need to install tools like PuTTY or MobaXterm. I recommend PuTTY, which is the simplest option; just enter the server IP and Port, and that's it!.
4. Update the system before changes
Before tweaking any SSH settings, it is better to update your server to the latest versions.
|
OS |
Command |
|
Debian/Ubuntu |
|
|
CentOS/RHEL |
|
These commands will upgrade the system packages to the latest version.
5. Have sudo access
You must have administrative access to change SSH settings and restart services.
- If you log in as root → you have access to everything.
- If you are logged in as a regular user → make sure that the user is in the sudo group. To add:sudo usermod -aG sudo username
You will then need to log out and log back in for the change to take effect.
Now we are ready to move on to the main operation of setting up ssh! So take your time and pay attention.
If you need to work with the SSH terminal in Linux or learn different connection methods, also check out the article How to SSH Linux on the MonoVM blog.
Step-by-Step Guide to Setting Up Secure SSH Connection
Now we come to the main steps of secure SSH connection VPS which includes 4 main steps as follows.
Step 1: Generate SSH Key Pair
The first step is to generate a public and private key pair on the local system. To set up SSH key VPS, we usually use the following command:
ssh-keygen -t rsa -b 4096
This command generates a strong RSA key with a length of 4096 bits.
After running the command, you will be asked where to save the key. The default path is usually:
/home/username/.ssh/id_rsa
Press Enter, so the key will be saved in this path, and two files will be created:
Private key: id_rsa
Public key: id_rsa.pub
For added security, you can choose a passphrase for the private key. This will make it impossible for anyone to easily use it even if someone gains access to the key file.
Step 2: Copy the Public Key to the VPS
Now you have to move the public key you have generated to the VPS server so that the server can recognize you. The simplest method is by using the following command:
ssh-copy-id user@server-IP
Replace user with your server username and server-IP with the server IP address. This command will automatically add your public key to the ~/.ssh/authorized_keys file on the server.
After doing this, every time you run the following command:
ssh user@server-IP
The server will verify you using your private key, and thus, it will let you in without typing the password. In case you like the traditional way better, you can do it with this command:
cat ~/.ssh/id_rsa.pub | ssh user@server-IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Or directly edit the authorized_keys file on the server and add the public key.
Step 3: Configuring SSH Service on VPS
Once you have transferred keys, it is necessary to set up the SSH server service (generally OpenSSH Daemon) to accept only key-based logins. First, launch the configuration file (edit the sshd_config VPS) using your favorite editor:
sudo nano /etc/ssh/sshd_config
After that, implement these changes:
Here’s the same table in English:
|
Action |
Description |
|
Disable password login |
Change the value of PasswordAuthentication to no to turn off password login. |
|
Disable root login on SSH VPS |
Modify the line PermitRootLogin to no to disallow direct root login. |
|
Change the default port (optional) |
Since the default port 22 is a target for automated attacks, you can change the number 22 in the line Port 22 to another port (e.g., 2222). |
Then, save the changes and restart the SSH service with the command sudo systemctl restart sshd . Thus, your server will only accept communications through the private key and password login will be disabled.
For a detailed walkthrough on using your private key for login, check out our guide on How to Connect to SSH with Private Key.
Step 4: Test Secure SSH Connection
It is now the moment to ensure that the connection is working properly. Try this on your work computer: enter the command below.
ssh user@server-IP
This time, your private key will be used automatically, and if everything is correct, you will be logged in to the server without being prompted for a password.
If you get an error message like Permission denied, it means the server did not recognize your key. Common reasons are:
- The public key was not transferred to the server correctly.
- The file permissions (~/.ssh and authorized_keys) are incorrect.
If you see the Connection refused error, there are two possibilities:
- The SSH service is not enabled on the server.
- A firewall (such as UFW or iptables) is blocking the SSH port.
In these cases, make sure that:
- The sshd service is running:
sudo systemctl status sshd
- The SSH port (default 22 or a port of your choice) is open in the firewall.
If you still can't connect, checking the SSH logs will help you pinpoint the problem:
sudo journalctl -u sshd -xe
After doing these steps, if you are still unable to connect, it is a good idea to look into the SSH logs to figure out the issue causing the problem.
Advanced SSH Security Best Practices
After setting up SSH, there are still things you can do to improve your defense lines. Below are some of SSH best security practices.
1. Two-Factor Authentication (2FA)
By enabling 2FA (e.g., Google Authenticator), you add an extra layer of security. Even if your private key or password is leaked, attackers won’t be able to log in without the second authentication code.
To install Google Authenticator on Debian/Ubuntu:
sudo apt-get install libpam-google-authenticator
After installation, run the following command and follow the prompts:
google-authenticator
Then, add the following line to /etc/pam.d/sshd:
auth required pam_google_authenticator.so
In the SSH configuration file (/etc/ssh/sshd_config), set ChallengeResponseAuthentication to yes and restart the service:
sudo systemctl restart sshd
2. Install and Configure Fail2Ban
Fail2Ban scans SSH logs and blocks suspicious IPs to prevent brute-force attacks. To install:
sudo apt-get install fail2ban
After installation, create a local configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
In jail.local, locate the [sshd] section and configure it like this:
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Finally, restart the service:
sudo systemctl restart fail2ban
3. Restrict Access by IP
If you only connect to your server from a few trusted IP addresses, you can restrict SSH access. With UFW, for example, you can allow only a specific IP:
sudo ufw allow from YOUR_IP to any port 22
If you have changed the SSH port, replace 22 with your custom port number.
4. Secure Use of SSH Agent
With ssh-agent, you can load your keys once and avoid entering the passphrase repeatedly.
Start the agent:
eval "$(ssh-agent -s)"
Then add your private key:
ssh-add ~/.ssh/id_rsa
Your key will remain in memory, so you won’t need to re-enter the passphrase each time. (Note: On shared systems, this may pose a security risk.)
5. Regular Updates
Always keep your server OS and SSH software up-to-date to ensure the latest security patches are applied.
On Debian/Ubuntu:
sudo apt update && sudo apt upgrade -y
These measures are not just a recommendation, but rather requirements that shows you how to secure SSH connection VPS.
SSH Security Checklist
To finish this off, here's a summary table of the essential steps to securing your SSH connection to VPS. So you can reference it as a checklist every time you set up or audit your server.
|
Action |
Purpose |
Example Command / Note |
|
enable SSH key authentication VPS |
Eliminate weak password risks |
ssh-keygen -t ed25519 or ssh-keygen -t rsa -b 4096 |
|
Disable Password Login |
Prevent brute-force password attacks |
Edit /etc/ssh/sshd_config → PasswordAuthentication no |
|
disable root login SSH VPS |
Limit direct root access |
PermitRootLogin no in sshd_config |
|
Change SSH Port |
Reduce automated scans on port 22 |
In sshd_config → Port 2222 |
|
Install & Configure Fail2Ban |
Block repeated failed login attempts |
sudo apt install fail2ban → enable [sshd] |
|
Enable 2FA |
Add a second security layer |
Google Authenticator or similar |
|
Restrict Access by IP |
Allow only trusted IPs |
ufw allow from YOUR_IP to any port 22 |
|
Regular System Updates |
Patch known security vulnerabilities |
sudo apt update && sudo apt upgrade -y |
|
Secure File Permissions |
Protect private keys from unauthorized access |
chmod 700 ~/.ssh and chmod 600 ~/.ssh/authorized_keys |
|
Rate Limiting on SSH Port |
Slow down brute-force attempts |
iptables or firewalld rules |
|
Use SSH Agent Carefully |
Convenience without retyping passphrase |
eval "$(ssh-agent -s)" + ssh-add ~/.ssh/id_rsa |
|
Monitor SSH Logs |
Detect suspicious login activity |
journalctl -u ssh or SIEM tools |
|
Use VPN or Bastion Host |
Add an extra protective layer |
Allow SSH only via VPN or a jump host |
These measures will greatly help improve the security of your SSH connection.
Final Thoughts
Securing your SSH connection is essential to keeping your VPS safe. By applying the steps in this guide, you’ll lower risks, block common attacks, and ensure smooth server management. A little time spent on setup today saves you from bigger issues later. If you do not have a VPS yet or want to take advantage of secure and fast services, Buy VPS Server from MonoVM. We give you full control, reliable uptime, and fast SSD storage! Plus expert support whenever you need it.
An experienced tech and developer blog writer, specializing in VPS hosting and server technologies. Fueled by a passion for innovation, I break down complex technical concepts into digestible content, simplifying tech for everyone.