This page documents the secure configuration of SSH access on the production server.

Security model:

• ed25519 key-based authentication only
• Password authentication disabled
• Root login disabled
• UFW firewall active
• Fail2ban enabled for brute-force protection

Snapshot date: 2026-02

---

1. SSH Key Policy

Client-Side Key Generation

Recommended key type: ed25519

ssh-keygen -t ed25519 -C "your_email@example.com"

Key files:

• Private key: ~/.ssh/id_ed25519
• Public key: ~/.ssh/id_ed25519.pub

---

2. Add Public Key to Server

Method 1 — Recommended

ssh-copy-id -i ~/.ssh/id_ed25519.pub ubuntu@SERVER_IP

Method 2 — Manual

mkdir -p ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

---

3. Disable Root Login

Verification (Effective Configuration)

sudo sshd -T | grep permitrootlogin

Expected result:

permitrootlogin no

If not configured:

sudo nano /etc/ssh/sshd_config

Add or modify:

PermitRootLogin no

Restart SSH:

sudo systemctl restart ssh

---

4. Disable Password Authentication (Cloud-Safe Method)

Step 1 — Check Effective Configuration (Critical)

sudo sshd -T | grep passwordauthentication

Expected result:

passwordauthentication no

If it shows yes, an included file is overriding the configuration.

---

Step 2 — Inspect Included Configuration Files

Ubuntu uses:

/etc/ssh/sshd_config.d/

List files:

ls /etc/ssh/sshd_config.d/

Search for overrides:

sudo grep -R "PasswordAuthentication" /etc/ssh/

---

Step 3 — Fix Cloud-Init Override (If Present)

If /etc/ssh/sshd_config.d/50-cloud-init.conf contains:

PasswordAuthentication yes

Edit it:

sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Replace with:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

Verify again:

sudo sshd -T | grep passwordauthentication

---

Step 4 — Prevent Cloud-Init From Re-Enabling Password Login

Create:

sudo nano /etc/cloud/cloud.cfg.d/99-disable-ssh-password.cfg

Add:

ssh_pwauth: false

This prevents cloud-init from re-enabling password authentication after reboot.

---

5. Test Configuration (Critical Step)

Before closing your active SSH session, test from another terminal.

Test normal login (must work)

ssh ubuntu@SERVER_IP

Test root login (must fail)

ssh root@SERVER_IP

Force password authentication (must fail)

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no ubuntu@SERVER_IP

---

6. Firewall Protection (UFW)

Verification

sudo ufw status

Ensure port 22 is allowed:

sudo ufw allow 22

Default policy:

• Incoming: deny
• Outgoing: allow

---

7. Fail2ban Installation

Install:

sudo apt install fail2ban

Enable and start:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

---

8. Fail2ban Configuration for SSH

Create configuration file:

sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = 22
maxretry = 5
findtime = 600
bantime = 3600

Restart Fail2ban:

sudo systemctl restart fail2ban

---

9. Verify Fail2ban Status

sudo fail2ban-client status

Check SSH jail:

sudo fail2ban-client status sshd

---

10. Security Summary

Control	Status
SSH Key Type	ed25519
Root Login	Disabled
Password Authentication	Disabled
SSH Port	22
UFW Firewall	Active
Fail2ban	Enabled

---

11. Live Monitoring Example

Example output:

sudo fail2ban-client status sshd

Example result:

• Currently banned: 2
• Total banned: 2
• Example banned IPs: 46.101.173.150, 92.118.39.63

This confirms that brute-force protection is actively working.