Make bruteforce attempts almost impossible

I always disable SSH password logins when setting up a new server, allowing authentication via private key only. It’s a good way to secure SSH all-around.

Disabling password logins in Ubuntu is extremely easy.

Open /etc/ssh/sshd_config with nano or vi. You’ll want to change options for 3 different directives, ChallengeResponseAuthentication, PasswordAuthentication, and UsePAM.

Find those directives in /etc/ssh/sshd_config and set them to the following:

Save sshd_config, and reload ssh:

That’s it, now you won’t be able to SSH to your server and login with a password, and neither will anyone else.

Of course, you’ll want to enable private key authentication, first. If you don’t, you’ll lock yourself out of your server.

DigitalOcean has a good article on how to do this.

Let’s go a bit farther and only allow specific users to login via SSH. We can do so with by adding a line like the one below to /etc/ssh/sshd_config:

This will allow only three users to login: firstuser, seconduser, or thirduser. I usually add my AllowUsers directive towards the top of sshd_config.

After modifying /etc/ssh/sshd_config, reload ssh again like so: