🔒 Hardening SSH on Arch Linux: A Step-by-Step Guide
- Peter Kriel
- 3 days ago
- 2 min read
Updated: 11 hours ago
When you install Arch Linux, you're building a system from the ground up. However, default SSH settings are often optimized for compatibility, not security. If your server is facing the open internet, it’s likely being hammered by automated bots right now.
Follow this guide to move beyond defaults and lock down your sshd configuration using modern best practices.
1. Generate Ed25519 Keys
Forget RSA. Ed25519 is the modern standard—it’s faster, has a smaller footprint, and offers higher security at a shorter key length. Run this on your local machine (not the server):
Bash
ssh-keygen -t ed25519 -C "your_email@example.com"
When prompted, add a passphrase for an extra layer of "What if my laptop gets stolen?" protection.
2. Use Drop-in Configurations
Since OpenSSH 9.4, Arch Linux users can enjoy a much cleaner way to manage settings. Instead of hacking away at the massive /etc/ssh/sshd_config file, we use the .d directory.
Why this matters:
Clean Upgrades: Your settings won't be overwritten or flagged as "conflicting" during system updates.
Organization: Keep your custom security rules separate from system defaults.
Create your hardening file:
We’ll use a 99- prefix to ensure these settings are loaded last and take precedence.
Bash
sudo nano /etc/ssh/sshd_config.d/99-hardening.conf
3. The "Low-Hanging Fruit" Settings
Copy and paste these parameters into your new .conf file. These settings effectively "hide" your server and slam the door on brute-force bots.
Parameter | Recommended Setting | Why? |
Port | 2222 (or random) | Stops 90% of automated bot scans instantly. |
PermitRootLogin | no | Prevents direct attacks on the root account. |
PasswordAuthentication | no | Forces SSH keys (immune to brute-force). |
PubkeyAuthentication | yes | Ensures your new Ed25519 keys work. |
MaxAuthTries | 3 | Aggressively limits failed attempt windows. |
AllowUsers | yourusername | Only specific people are allowed to knock. |
4. Test and Deploy
Crucial: Never restart your SSH service without testing the syntax first. If there’s a typo, you could lock yourself out of your own server.
Test the Syntax
Bash
sudo sshd -t
Note: If the command returns nothing, your syntax is perfect. If you see errors, fix them before moving to the next step.
Restart the Service
Bash
sudo systemctl restart sshd
5. Update Your Firewall
If you changed your port (e.g., to 2222), you must tell your firewall to let you back in. If you are using UFW (Uncomplicated Firewall), run the following:
Bash
sudo ufw allow 2222/tcp
sudo ufw reload
sudo ufw status verbose
Final Pro-Tip 💡
Before you close your current terminal session, open a new one and try to log in using your new settings:
ssh -p 2222 yourusername@your-server-ip
If it works, you’re golden! Your Arch server is now significantly more resilient against attacks.
Comments