SSH hardening
Keys only, no root, minimal exposure.
SSH is the front door to almost every Linux server, which makes it the single most attacked service on the internet — automated bots hammer port 22 with password guesses continuously. So SSH hardening is where server security starts, and the highest-value change is the simplest: turn off password authentication entirely and accept only cryptographic keys. A key cannot be brute-forced the way a password can, so the moment you go keys-only, the entire password-guessing threat disappears.
PasswordAuthentication no # keys only — the single biggest winPermitRootLogin no # no direct root login; log in as a user, then sudoPubkeyAuthentication yesKbdInteractiveAuthentication no # close the other password-ish pathsX11Forwarding noAllowGroups ssh-users # only members of this group may SSH in at all
No root login, restrict who can connect
Two more essentials. PermitRootLogin no forces everyone to log in as a named user and then escalate with sudo — restoring the attribution the essentials course insisted on (a shared root login destroys your audit trail). And AllowGroups (or AllowUsers) restricts SSH access to an explicit allowlist, so even a valid account outside that group cannot connect. Combined, an attacker now needs a specific user’s private key AND membership in the allowed group AND then a second step to reach root.
Apply changes safely
Editing sshd_config is one of the few changes that can lock you out of your own server, so apply it carefully: validate the config with sshd -t before restarting, and keep your current session open while you test a new connection in a second terminal. If the new settings break your access, you still have the working session to fix them. Never restart sshd with a broken config and no fallback.
$ sudo sshd -t # validate config — no output means OK$ sudo systemctl reload ssh # apply# now, WITHOUT closing this session, open a NEW terminal and test:$ ssh deploy@server # confirm key login works before you log out