#change password passwd #update ubuntu/debian apt-get update apt-get upgrade #install most needed packages in ubuntu/debian apt-get install sudo openssl openssh-server fail2ban sudo #add user to use for ssh connection (replace *user* with your own user name) adduser *user* #copy rules for fail2ban cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local #edit vim /etc/fail2ban/jail.local #add or replace content in file to resemble: [ssh-ddos] enabled = true #reset /etc/init.d/fail2ban restart #disable root access via ssh mkdir --parents /home/*user*/.ssh chown *user*:*user* /home/*user*/.ssh/ sed -i -e 's/PermitRootLogin.*/PermitRootLogin no/' '/etc/ssh/sshd_config' /etc/init.d/ssh reload #enable ssh connection only for selected user group addgroup --system "ssh-users" command echo 'AllowGroups ssh-users' >> /etc/ssh/sshd_config /etc/init.d/ssh reload adduser *user* ssh-users #generate keys for ssh connection #on client computer (machine that you will use to establish connection with server) ssh-keygen -t rsa -f /home/*user*/.ssh/id_rsa ssh-copy-id -i "/home/*localuser*/.ssh/id_rsa.pub" *user*@server #on server sed -i -e 's/^[#\t ]*PubkeyAuthentication[\t ]*.*$/PubkeyAuthentication yes/' '/etc/ssh/sshd_config' /etc/init.d/ssh reload #we can set custom ports for ssh server (ex. port 1234 instead 22) command sed -i -e "s/^[#\t ]*Port[\t ]*.*\$/Port 1234/" '/etc/ssh/sshd_config' /etc/init.d/ssh reload #we edit rule for ssh inside fail2ban file: echo "[ssh] port = 1234" >> '/etc/fail2ban/jail.local' /etc/init.d/fail2ban restart #Profit!