SSH Hardening Basics for Home Servers

Updated: February 23, 2026

Start with the real goal

The goal is not “never get attacked”. The goal is: if your hostname is public, automated bots will try SSH anyway, and those attempts should be harmless. That means reducing exposure, removing weak authentication methods, and keeping a small, clear configuration you can review.

1) Prefer VPN over public SSH

The safest default is to avoid exposing SSH to the internet at all. Use a VPN (WireGuard is common) and only allow SSH on your private network. If you must expose SSH, at least combine multiple controls, not just one.

2) Use SSH keys (and disable password login)

Password auth is the biggest target for brute force attempts. SSH keys remove that entire class of attack if you disable passwords.

# /etc/ssh/sshd_config (examples)
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes

3) Limit who can log in

If you only have one admin user, do not allow the entire system user list to attempt login.

# /etc/ssh/sshd_config (examples)
AllowUsers youruser

4) Disable root login

Root login is a common target. Use a normal user and escalate when needed.

# /etc/ssh/sshd_config (examples)
PermitRootLogin no

5) Reduce the “blast radius”

• Keep the OS updated monthly.
• Enable a firewall and only allow what you need.
• Use fail2ban or rate limiting at the reverse proxy where possible.

6) Confirm you did not lock yourself out

Before you close your current SSH session, open a second session and verify login works with your key. Then reload the SSH service. If anything breaks, you still have the original session to recover.

Related: Guides: DDNS and exposure