Make bruteforce attempts almost impossible
I always disable SSH password logins when setting up a new server, allowing authentication via private key only. It’s a good way to secure SSH all-around.
Disabling password logins in Ubuntu is extremely easy.
Open /etc/ssh/sshd_config with nano or vi. You’ll want to change options for 3 different directives, ChallengeResponseAuthentication, PasswordAuthentication, and UsePAM.
Find those directives in /etc/ssh/sshd_config and set them to the following:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
Save sshd_config, and reload ssh:
sudo service ssh reload
That’s it, now you won’t be able to SSH to your server and login with a password, and neither will anyone else.
Of course, you’ll want to enable private key authentication, first. If you don’t, you’ll lock yourself out of your server.
DigitalOcean has a good article on how to do this.
Loading ...Let’s go a bit farther and only allow specific users to login via SSH. We can do so with by adding a line like the one below to /etc/ssh/sshd_config:
AllowUsers firstuser seconduser thirduser
This will allow only three users to login: firstuser, seconduser, or thirduser. I usually add my AllowUsers directive towards the top of sshd_config.
After modifying /etc/ssh/sshd_config, reload ssh again like so:
sudo service ssh reload
