- Home
- Skills
- Mikr13
- Secure Server Setup Skills
- Ssh Hardening
ssh-hardening_skill
- Shell
4
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill mikr13/secure-server-setup-skills --skill ssh-hardening- SKILL.md7.9 KB
Overview
This skill hardens SSH access on VPS servers by enforcing key-based authentication, disabling root login, and creating non-root sudo users. It implements safe, test-first changes to sshd_config and provides step-by-step checks to avoid locking yourself out. The goal is to reduce brute-force and credential risks while maintaining operational access.
How this skill works
The skill creates a non-root user with sudo privileges, generates or installs public SSH keys, and configures the SSH daemon to refuse password and root logins. It updates core sshd_config options (PermitRootLogin, PasswordAuthentication, AllowUsers, Protocol, etc.), validates the configuration with sshd -t, and guides a safe restart. It also includes recommended firewall and monitoring suggestions.
When to use it
- Initial VPS provisioning to establish secure access
- Replacing password authentication with SSH keys
- Responding to security audit findings about SSH settings
- Reducing exposure to brute-force and credential attacks
- Implementing least-privilege access for server administration
Best practices
- Create and test a non-root sudo user before changing SSH settings
- Generate and use ed25519 keys with a strong passphrase when possible
- Always test new key login in a separate terminal and keep an existing session open
- Run sudo sshd -t to validate syntax before restarting the service
- Restrict access with AllowUsers or AllowGroups and update firewall rules if you change the SSH port
Example use cases
- Set up a deployer user with key-only SSH access on a fresh VPS
- Harden an existing server after a security scan flagged root or password logins
- Migrate a team from password SSH to centrally managed key pairs
- Lock down SSH to only specific admin accounts and disable unused features like X11 forwarding
- Combine with fail2ban and firewall rules to reduce noise and automated attacks
FAQ
Use your hosting provider’s console or VNC to access the instance, revert the changes in /etc/ssh/sshd_config, and restart sshd. Always keep one working session open while testing to prevent lockout.
Which key type should I use?
Use ed25519 for modern, compact, and secure keys. Use rsa -b 4096 only for older compatibility when ed25519 is unavailable.
Can I disable password auth immediately?
No. First create a non-root user, install and test SSH key authentication in a new terminal, then disable password authentication and restart sshd after validating the config.