How to Use SSH Securely to Manage Your VPS Remotely: The Complete Guide
SSH (Secure Shell) is the backbone of remote server management. Every time you connect to your VPS from a laptop at a coffee shop, automate a deployment from a CI/CD pipeline, or transfer files between servers, you're relying on SSH. It is the single most important tool in a system administrator's arsenal.
 |
| How to Use SSH Securely to Manage Your VPS Remotely: The Complete Guide |
But SSH, used carelessly, is also one of the most common attack surfaces on the internet. Every publicly exposed SSH server receives hundreds to thousands of automated login attempts per day from botnets scanning for weak credentials. A misconfigured SSH setup is an open invitation.
This guide is your complete reference for using SSH securely and effectively — from generating your first key pair to hardening a production server against brute force attacks, configuring jump hosts, tunneling, and automating deployments.
Table of Contents
- How SSH Works: A Practical Overview
- Generating SSH Key Pairs
- Connecting to Your VPS with SSH
- SSH Config File: Simplifying Your Workflow
- Hardening Your SSH Server Configuration
- SSH Key Management and Best Practices
- File Transfer with SCP and SFTP
- SSH Tunneling and Port Forwarding
- Jump Hosts (Bastion Servers)
- SSH Agent and Agent Forwarding
- Monitoring SSH Access
- Automating SSH in Scripts and CI/CD
- SSH Two-Factor Authentication (2FA)
- Fail2ban: Automated Brute Force Protection
- SSH Security Checklist
- FAQ
- Conclusion
- Additional SEO Data
How SSH Works: A Practical Overview
SSH operates on a client-server model using asymmetric cryptography. Understanding the basics helps you configure it intelligently rather than just copying commands.
The Authentication Flow
- Client initiates connection to the server on port 22 (or configured port)
- Server presents its host key — the client checks this against
~/.ssh/known_hoststo verify it's the correct server (prevents man-in-the-middle attacks) - Authentication occurs — either via password or public key (strongly preferred)
- Encrypted session established — all subsequent communication is encrypted
Public Key Authentication (How It Works)
Public key authentication is based on a key pair:
- Private key — stays on your local machine, never shared. Think of it as a password that only you know.
- Public key — placed on the server in
~/.ssh/authorized_keys. Think of it as a lock that only your private key can open.
When you connect:
- Server challenges the client with data encrypted using your public key
- Client proves identity by decrypting the challenge with the private key
- No password is transmitted over the network — not even an encrypted one
This is fundamentally more secure than password authentication because:
- Brute force attacks against SSH public key auth are computationally infeasible
- Even if the server is compromised, your private key is never sent to it
- Keys can be revoked server-side by removing them from
authorized_keys
Generating SSH Key Pairs
Choosing Your Key Type
Not all key types are equal. In 2026, the recommended choices are:
| Key Type | Recommendation | Key Size | Notes |
|---|---|---|---|
| Ed25519 | ✅ Best choice | Fixed (256-bit) | Fast, secure, small keys. Modern standard. |
| ECDSA | ✅ Good | 256/384/521-bit | Good performance, widely supported |
| RSA | ⚠️ Acceptable | 4096-bit minimum | Legacy compatibility. Use 4096-bit, never 1024/2048. |
| DSA | ❌ Avoid | 1024-bit (fixed) | Deprecated, insecure. Disabled in modern OpenSSH. |
Recommendation: Use Ed25519 for all new keys.
Generating an Ed25519 Key Pair
# Generate Ed25519 key pair (recommended)
ssh-keygen -t ed25519 -C "your-email@example.com"
# The -C flag adds a comment (label) to the key for identification
# You'll be asked:
# 1. Where to save the key (default: ~/.ssh/id_ed25519)
# 2. Passphrase (STRONGLY recommended — protects private key if stolen)
# Example output:
# Generating public/private ed25519 key pair.
# Enter file in which to save the key (/home/user/.ssh/id_ed25519):
# Enter passphrase (empty for no passphrase): [type a strong passphrase]
# Enter same passphrase again:
# Your identification has been saved in /home/user/.ssh/id_ed25519
# Your public key has been saved in /home/user/.ssh/id_ed25519.pub
Generating RSA Key (for Legacy Compatibility)
# RSA 4096-bit (for systems that don't support Ed25519)
ssh-keygen -t rsa -b 4096 -C "your-email@example.com"
Naming Keys for Multiple Servers
If you manage multiple servers or services, use descriptive key names:
# Named key for a specific server
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_production -C "production-server"
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_github -C "github-deploy"
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_client_xyz -C "client-xyz-server"
# View your generated keys
ls -la ~/.ssh/
# id_ed25519 <- private key (NEVER share this)
# id_ed25519.pub <- public key (share this freely)
Viewing Key Contents
# View your public key (this is what you copy to servers)
cat ~/.ssh/id_ed25519.pub
# Output: ssh-ed25519 AAAA...base64data... your-email@example.com
# View key fingerprint (useful for verification)
ssh-keygen -lf ~/.ssh/id_ed25519.pub
# Output: 256 SHA256:fingerprint-here your-email@example.com (ED25519)
Connecting to Your VPS with SSH
Basic Connection
# Basic syntax
ssh username@server-ip-or-hostname
# Examples
ssh root@192.168.1.100
ssh ubuntu@your-vps.example.com
ssh admin@203.0.113.50
# Specify port (if not using default 22)
ssh -p 2222 ubuntu@your-vps.example.com
# Specify which key to use
ssh -i ~/.ssh/id_ed25519_production ubuntu@your-vps.example.com
# Verbose mode (useful for debugging connection issues)
ssh -v ubuntu@your-vps.example.com
ssh -vv ubuntu@your-vps.example.com # more verbose
ssh -vvv ubuntu@your-vps.example.com # maximum verbosity
First Connection: Verifying the Host Key
The first time you connect to a new server, SSH displays a warning:
The authenticity of host '203.0.113.50 (203.0.113.50)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Don't blindly type "yes". Verify the fingerprint matches what your hosting provider shows in their console:
# On the server (via console/KVM), get the host key fingerprint
ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub
# Compare with what your client shows
# If they match, type yes to add to known_hosts
Copying Your Public Key to the Server
# Method 1: ssh-copy-id (easiest, recommended)
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server-ip
# With custom port:
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 username@server-ip
# Method 2: Manual copy (if ssh-copy-id not available)
# Display your public key:
cat ~/.ssh/id_ed25519.pub
# On the server, add it to authorized_keys:
mkdir -p ~/.ssh
echo "ssh-ed25519 AAAA...your-public-key... comment" >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
# Method 3: Using SSH with pipe (one-liner, no prior auth needed if you have password)
cat ~/.ssh/id_ed25519.pub | ssh username@server-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"
Managing known_hosts
# View all known hosts
cat ~/.ssh/known_hosts
# Remove a host entry (necessary when server is reinstalled/IP reassigned)
ssh-keygen -R server-ip-or-hostname
ssh-keygen -R 203.0.113.50
# Remove a host on custom port
ssh-keygen -R [server-ip]:2222
# Hash known_hosts for additional privacy
ssh-keygen -H -f ~/.ssh/known_hosts
SSH Config File: Simplifying Your Workflow
The SSH client config file (~/.ssh/config) is one of the most underused SSH features. It lets you define connection parameters for each server so you can connect with short aliases instead of long commands.
Creating Your Config File
# Create config file (if it doesn't exist)
touch ~/.ssh/config
chmod 600 ~/.ssh/config
Config File Structure
# ~/.ssh/config
# Global settings (apply to all connections)
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519
# Production web server
Host production
HostName 203.0.113.50
User ubuntu
Port 2222
IdentityFile ~/.ssh/id_ed25519_production
ForwardAgent no
# Staging server
Host staging
HostName 203.0.113.51
User ubuntu
Port 22
IdentityFile ~/.ssh/id_ed25519_production
# Database server (only accessible via jump host)
Host db-server
HostName 10.0.1.50
User dbadmin
ProxyJump production
IdentityFile ~/.ssh/id_ed25519_production
# GitHub
Host github.com
User git
IdentityFile ~/.ssh/id_ed25519_github
AddKeysToAgent yes
# Client XYZ server
Host client-xyz
HostName client-xyz-server.com
User admin
Port 22
IdentityFile ~/.ssh/id_ed25519_client_xyz
Now instead of:
ssh -p 2222 -i ~/.ssh/id_ed25519_production ubuntu@203.0.113.50
You simply type:
ssh production
Useful Config Directives
# ServerAliveInterval/CountMax — send keepalive packets
# Prevents disconnection due to idle timeout
ServerAliveInterval 60
ServerAliveCountMax 3
# ControlMaster/ControlPath/ControlPersist — connection multiplexing
# Reuse existing connection for subsequent SSH/SCP/rsync to same host
# Dramatically faster for frequent connections
Host *
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 10m
# Create socket directory first:
mkdir -p ~/.ssh/cm_socket
chmod 700 ~/.ssh/cm_socket
# StrictHostKeyChecking — set to 'yes' for production, never 'no'
StrictHostKeyChecking yes
# ConnectTimeout — seconds before giving up
ConnectTimeout 10
# Compression — enable for slow connections
Compression yes
# LogLevel — for debugging
# LogLevel DEBUG
Hardening Your SSH Server Configuration
This is the most critical section. The default OpenSSH configuration is reasonably secure, but applying these hardening measures significantly reduces your attack surface.
Main Configuration File
The SSH server configuration is in /etc/ssh/sshd_config. Always test your config before restarting SSH — a syntax error can lock you out.
# Before making changes, back up the original config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# After making changes, ALWAYS test syntax before restarting
sudo sshd -t
# If the test passes, reload (not restart, to keep existing sessions alive)
sudo systemctl reload sshd
# or on some systems:
sudo service ssh reload
Complete Hardened sshd_config
# /etc/ssh/sshd_config — Hardened Configuration
# Apply these settings on your VPS for a secure SSH setup
# ============================================================
# NETWORK AND PORT SETTINGS
# ============================================================
# Change default port (reduces automated scan noise)
# Common alternatives: 2222, 22222, 2200
# NOTE: Not a security measure — just reduces log noise
# Update firewall rules when changing port
Port 2222
# Listen on specific interface only (if server has multiple IPs)
# ListenAddress 0.0.0.0
# ListenAddress 203.0.113.50
# ============================================================
# AUTHENTICATION SETTINGS
# ============================================================
# Disable root login (CRITICAL — always disable this)
PermitRootLogin no
# If you MUST allow root login (not recommended), use:
# PermitRootLogin prohibit-password
# Disable password authentication (CRITICAL — use keys only)
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
# Allow only specific users (whitelist approach)
# AllowUsers ubuntu deploy admin
# Allow only specific groups
# AllowGroups sshusers
# Deny specific users
# DenyUsers guest temp_user
# Disable empty passwords
PermitEmptyPasswords no
# Maximum authentication attempts (reduces brute force window)
MaxAuthTries 3
# Maximum number of concurrent unauthenticated connections
MaxStartups 3:50:10
# Format: start:rate:full
# start: start dropping connections when there are 3 unauthenticated connections
# rate: 50% chance of dropping if above start
# full: always drop if 10 or more
# Authentication timeout (seconds to complete login)
LoginGraceTime 20
# ============================================================
# PUBLIC KEY AUTHENTICATION
# ============================================================
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# ============================================================
# SESSION SETTINGS
# ============================================================
# Disconnect idle sessions (seconds)
# Client must respond to keepalive within 3 * 60 = 180 seconds
ClientAliveInterval 300
ClientAliveCountMax 2
# Disable X11 forwarding (unless you need it)
X11Forwarding no
# Disable TCP forwarding (unless you need tunneling)
# AllowTcpForwarding no
# Disable agent forwarding (enable only where needed)
# AllowAgentForwarding no
# Disable .rhosts authentication (legacy, insecure)
IgnoreRhosts yes
HostbasedAuthentication no
# ============================================================
# LOGGING
# ============================================================
SyslogFacility AUTH
LogLevel VERBOSE
# VERBOSE logs the key fingerprint used for login
# This is critical for audit trails
# ============================================================
# CRYPTOGRAPHY (restrict to strong algorithms)
# ============================================================
# These settings prefer modern, well-vetted algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# ============================================================
# BANNER (optional — legal warning)
# ============================================================
# Banner /etc/ssh/banner.txt
# Create banner content:
# echo "Authorized access only. All activity is logged." > /etc/ssh/banner.txt
# ============================================================
# SUBSYSTEM
# ============================================================
Subsystem sftp /usr/lib/openssh/sftp-server
Applying the Configuration
# Step 1: Edit the config
sudo nano /etc/ssh/sshd_config
# Step 2: Test syntax (CRITICAL — never skip this)
sudo sshd -t
# No output = no errors
# Step 3: If you changed the port, update firewall BEFORE reloading SSH
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp # ONLY after confirming new port works
# Step 4: Reload SSH daemon (keeps existing sessions)
sudo systemctl reload sshd
# Step 5: Test from a NEW terminal window (don't close existing session)
# Open a new terminal:
ssh -p 2222 ubuntu@your-server-ip
# Step 6: Only close existing session AFTER confirming new connection works
Disable Root Login Properly
# Always create a non-root user with sudo access before disabling root login
# Create admin user
sudo adduser adminuser
sudo usermod -aG sudo adminuser
# Copy root's authorized_keys to new user (if root login used keys)
sudo mkdir -p /home/adminuser/.ssh
sudo cp /root/.ssh/authorized_keys /home/adminuser/.ssh/
sudo chown -R adminuser:adminuser /home/adminuser/.ssh
sudo chmod 700 /home/adminuser/.ssh
sudo chmod 600 /home/adminuser/.ssh/authorized_keys
# Test login as adminuser in a NEW terminal before disabling root
ssh adminuser@your-server-ip
# Verify sudo works
sudo whoami
# Should output: root
# Only now disable root login in sshd_config:
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sshd -t && sudo systemctl reload sshd
SSH Key Management and Best Practices
Passphrase Protection
Always protect your private key with a strong passphrase. If your key is stolen (laptop theft, compromised machine), a passphrase prevents immediate use.
# Add or change passphrase on existing key
ssh-keygen -p -f ~/.ssh/id_ed25519
# Check if a key has a passphrase set
ssh-keygen -y -f ~/.ssh/id_ed25519
# If protected: prompts for passphrase
# If unprotected: immediately outputs public key
Key Permissions (Critical)
SSH will refuse to use keys with incorrect permissions:
# Correct permissions for SSH files
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519 # private key
chmod 644 ~/.ssh/id_ed25519.pub # public key
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/config
chmod 644 ~/.ssh/known_hosts
# Fix all at once
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/*.pub ~/.ssh/known_hosts 2>/dev/null
Authorized Keys File Management
# View all authorized keys on a server
cat ~/.ssh/authorized_keys
# Each line is one public key. Format:
# [options] key-type base64-key comment
# Add a key with options to restrict what the key can do:
# Restrict to specific command only (for automation)
echo 'command="/usr/bin/backup.sh",no-pty,no-agent-forwarding,no-port-forwarding ssh-ed25519 AAAA... deploy-key' >> ~/.ssh/authorized_keys
# Restrict to specific source IP
echo 'from="203.0.113.0/24" ssh-ed25519 AAAA... restricted-key' >> ~/.ssh/authorized_keys
# Combine restrictions
echo 'from="203.0.113.10",command="/usr/bin/backup.sh",no-pty ssh-ed25519 AAAA... deploy-only-from-ci' >> ~/.ssh/authorized_keys
# Revoke a key: find and delete the line containing it
grep -v 'key-to-remove-comment' ~/.ssh/authorized_keys > /tmp/authorized_keys_new
mv /tmp/authorized_keys_new ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Regular Key Rotation
# Best practice: rotate SSH keys every 1-2 years or after any security incident
# Step 1: Generate new key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_new -C "rotated-2026-06"
# Step 2: Copy new key to all servers
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub ubuntu@server1
ssh-copy-id -i ~/.ssh/id_ed25519_new.pub ubuntu@server2
# Step 3: Test login with new key
ssh -i ~/.ssh/id_ed25519_new ubuntu@server1
# Step 4: Remove old key from authorized_keys on each server
# (identify old key by its comment or fingerprint)
# Step 5: Replace old key with new key in config/agent
File Transfer with SCP and SFTP
SCP (Secure Copy Protocol)
SCP transfers files over SSH. It's simple and fast for one-off transfers.
# Upload file to server
scp /local/path/file.txt ubuntu@server:/remote/path/
# Upload directory recursively
scp -r /local/directory/ ubuntu@server:/remote/path/
# Download file from server
scp ubuntu@server:/remote/path/file.txt /local/path/
# Download directory
scp -r ubuntu@server:/remote/path/directory/ /local/path/
# Custom port
scp -P 2222 file.txt ubuntu@server:/remote/path/
# Specify key
scp -i ~/.ssh/id_ed25519_production file.txt ubuntu@server:/remote/
# Copy between two remote servers (via local machine)
scp ubuntu@server1:/path/file.txt ubuntu@server2:/path/
# Show progress
scp -v file.txt ubuntu@server:/path/
# Preserve file timestamps and permissions
scp -p file.txt ubuntu@server:/path/
# Compress during transfer (useful for slow connections)
scp -C large-file.tar ubuntu@server:/path/
SFTP (SSH File Transfer Protocol)
SFTP provides an interactive file browsing session over SSH — like FTP but encrypted.
# Connect to SFTP session
sftp ubuntu@server
sftp -P 2222 ubuntu@server
# SFTP commands (once connected):
# ls — list remote directory
# lls — list local directory
# pwd — remote working directory
# lpwd — local working directory
# cd — change remote directory
# lcd — change local directory
# get file — download file
# put file — upload file
# mget *.log — download multiple files
# mput *.txt — upload multiple files
# mkdir dir — create remote directory
# rm file — delete remote file
# exit — disconnect
# Non-interactive SFTP (scripted)
echo "get /remote/path/file.txt /local/path/" | sftp ubuntu@server
rsync over SSH
For syncing directories, rsync over SSH is far superior to scp — it only transfers changed files, supports progress reporting, and handles interruptions gracefully.
# Sync local directory to remote server
rsync -avz --progress /local/path/ ubuntu@server:/remote/path/
# Sync remote directory to local (backup)
rsync -avz --progress ubuntu@server:/remote/path/ /local/backup/
# Custom SSH port with rsync
rsync -avz -e "ssh -p 2222" /local/path/ ubuntu@server:/remote/path/
# Custom key
rsync -avz -e "ssh -i ~/.ssh/id_ed25519_production" /local/path/ ubuntu@server:/remote/
# Delete files at destination that don't exist at source
rsync -avz --delete /local/path/ ubuntu@server:/remote/path/
# Dry run (show what would be transferred without transferring)
rsync -avz --dry-run /local/path/ ubuntu@server:/remote/path/
# Exclude files/directories
rsync -avz --exclude '*.log' --exclude 'node_modules/' /local/path/ ubuntu@server:/remote/
# Resumable transfer (useful for large files)
rsync -avz --partial --progress ubuntu@server:/large/file.tar.gz /local/
SSH Tunneling and Port Forwarding
SSH tunneling lets you route network traffic securely through an SSH connection. This is one of the most powerful and underused SSH features.
Local Port Forwarding
Forward a remote port to your local machine — useful for accessing remote services (databases, admin panels) that aren't publicly exposed.
# Syntax: ssh -L [local_port]:[remote_host]:[remote_port] user@ssh_server
# Access remote MySQL (port 3306) via local port 3307
ssh -L 3307:localhost:3306 ubuntu@server -N
# Now connect to MySQL locally:
# mysql -h 127.0.0.1 -P 3307 -u root -p
# Access a web service running on internal network (not exposed publicly)
ssh -L 8080:internal-server:80 ubuntu@jumphost -N
# Now browse: <http://localhost:8080>
# Access remote Redis
ssh -L 6380:localhost:6379 ubuntu@server -N
# -N flag: don't execute a remote command (just tunnel, no shell)
# -f flag: run in background
ssh -L 3307:localhost:3306 ubuntu@server -N -f
# Background tunnel with automatic reconnection:
ssh -L 3307:localhost:3306 ubuntu@server -N -f -o "ServerAliveInterval 60" -o "ExitOnForwardFailure yes"
Remote Port Forwarding
Expose a local port to the remote server — useful for temporarily making a local development server accessible from a remote machine.
# Syntax: ssh -R [remote_port]:[local_host]:[local_port] user@ssh_server
# Expose local port 3000 (dev server) as port 3000 on the remote server
ssh -R 3000:localhost:3000 ubuntu@server -N
# Expose local database to remote server
ssh -R 5432:localhost:5432 ubuntu@server -N
# GatewayPorts: to allow external connections to the remote forwarded port,
# add to /etc/ssh/sshd_config on the server:
# GatewayPorts clientspecified
Dynamic Port Forwarding (SOCKS Proxy)
Create a SOCKS proxy — routes all your browser traffic through the SSH server.
# Create SOCKS5 proxy on local port 1080
ssh -D 1080 ubuntu@server -N -f
# Configure browser to use SOCKS5 proxy: 127.0.0.1:1080
# All browser traffic now routes through your server's network
# Or use curl with SOCKS proxy:
curl --socks5-hostname 127.0.0.1:1080 <http://example.com>
Checking Active Tunnels
# List all SSH processes with tunnels
ps aux | grep ssh
# Kill a background tunnel by port
lsof -ti:3307 | xargs kill
# Or find and kill by PID:
ps aux | grep 'ssh.*3307'
kill PID
Jump Hosts (Bastion Servers)
A jump host (or bastion server) is a publicly accessible SSH server used as an intermediary to reach servers in a private network. This is a standard security architecture for production environments.
Your Laptop → [Jump Host / Bastion] → [Private DB Server]
(public IP) (internal IP only)
Connecting via Jump Host
# Method 1: -J flag (modern, preferred)
ssh -J ubuntu@jumphost ubuntu@private-server
# With custom ports:
ssh -J ubuntu@jumphost:2222 ubuntu@10.0.1.50:22
# Multiple jump hosts (chain):
ssh -J ubuntu@jump1,ubuntu@jump2 ubuntu@final-server
# Method 2: ProxyJump in config file (best for regular use)
# ~/.ssh/config:
# Host private-db
# HostName 10.0.1.50
# User dbadmin
# ProxyJump jumphost
#
# Host jumphost
# HostName 203.0.113.10
# User ubuntu
# Port 2222
# Then simply:
ssh private-db
# Method 3: ProxyCommand (legacy, still works)
ssh -o ProxyCommand="ssh -W %h:%p ubuntu@jumphost" ubuntu@private-server
SCP and rsync Through Jump Host
# SCP through jump host
scp -J ubuntu@jumphost /local/file.txt dbadmin@10.0.1.50:/remote/
# rsync through jump host
rsync -avz -e "ssh -J ubuntu@jumphost" /local/path/ dbadmin@10.0.1.50:/remote/
Hardening the Jump Host
The jump host has special requirements — it should allow SSH in but restrict what authenticated users can do:
# /etc/ssh/sshd_config on jump host:
# Only allow specific users through
AllowGroups sshusers
# Disable everything except forwarding
X11Forwarding no
AllowTcpForwarding yes # needed for jump functionality
PermitTunnel no
GatewayPorts no
# Force command that allows only port forwarding (not a shell)
# In authorized_keys on jump host:
# restrict,port-forwarding ssh-ed25519 AAAA... user@source
SSH Agent and Agent Forwarding
SSH Agent
The SSH agent is a background process that caches your decrypted private key in memory so you don't have to type the passphrase for every connection.
# Start the SSH agent (if not already running)
eval "$(ssh-agent -s)"
# Output: Agent pid 1234
# Add your key to the agent (prompts for passphrase once)
ssh-add ~/.ssh/id_ed25519
# Add key with timeout (auto-removes after 4 hours)
ssh-add -t 14400 ~/.ssh/id_ed25519
# List keys currently loaded in agent
ssh-add -l
# Remove a specific key from agent
ssh-add -d ~/.ssh/id_ed25519
# Remove all keys from agent
ssh-add -D
# On macOS: add to keychain (persist across reboots)
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
Auto-loading Keys on macOS/Linux
# Add to ~/.bashrc or ~/.zshrc for auto-loading:
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
# Or using keychain utility (Linux):
eval $(keychain --eval --agents ssh id_ed25519)
# macOS: add to ~/.ssh/config for automatic keychain integration
Host *
AddKeysToAgent yes
UseKeychain yes # macOS only
IdentityFile ~/.ssh/id_ed25519
Agent Forwarding
Agent forwarding allows you to use your local SSH keys on remote servers without copying private keys there. Useful for git operations on a server.
# Connect with agent forwarding enabled (-A flag)
ssh -A ubuntu@server
# Once on the server, your local keys are available:
git clone git@github.com:yourorg/private-repo.git
# This works because git uses your local keys via the forwarded agent
# In ~/.ssh/config:
Host staging
HostName staging.example.com
User ubuntu
ForwardAgent yes
⚠️ Security warning: Never enable agent forwarding to servers you don't fully trust. A server root or a user with root access could use your forwarded agent to authenticate as you to other servers.
Safe rule: Enable ForwardAgent only to your own servers that you administer, and only when you need it.
Monitoring SSH Access
Monitoring SSH access is essential for detecting unauthorized access attempts and actual breaches.
Viewing SSH Logs
# Ubuntu/Debian: SSH logs in auth.log
sudo tail -50 /var/log/auth.log
sudo grep 'sshd' /var/log/auth.log | tail -50
# AlmaLinux/Rocky Linux: SSH logs in secure
sudo tail -50 /var/log/secure
# Using journalctl (all systemd-based systems)
sudo journalctl -u ssh -n 100
sudo journalctl -u ssh --since "1 hour ago"
sudo journalctl -u ssh --since "2026-06-15" --until "2026-06-16"
# Watch SSH logs in real time
sudo tail -f /var/log/auth.log
sudo journalctl -u ssh -f
Detecting Brute Force Attempts
# Count failed login attempts by IP
sudo grep 'Failed password' /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
# Using journalctl:
sudo journalctl -u ssh | grep 'Failed password' | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
# Count invalid user attempts
grep 'Invalid user' /var/log/auth.log | awk '{print $10}' | sort | uniq -c | sort -rn
# Successful logins (monitor for unauthorized access)
grep 'Accepted' /var/log/auth.log
grep 'Accepted publickey' /var/log/auth.log
grep 'Accepted password' /var/log/auth.log
# See which keys were used for successful auth (requires LogLevel VERBOSE in sshd_config)
grep 'Accepted publickey' /var/log/auth.log | awk '{print $9, $11}'
Setting Up Log Alerting
# Install logwatch for daily email reports
sudo apt install logwatch
# Configure (edit /etc/logwatch/conf/logwatch.conf):
# MailTo = admin@yourdomain.com
# Detail = High (for SSH)
# Range = Yesterday
# Or use a simple cron job to alert on new successful logins:
# /usr/local/bin/check-ssh-logins.sh
#!/bin/bash
YESTERDAY=$(date -d 'yesterday' '+%b %e')
LOGINS=$(grep "$YESTERDAY" /var/log/auth.log | grep 'Accepted')
if [ -n "$LOGINS" ]; then
echo "$LOGINS" | mail -s "SSH Logins on $(hostname)" admin@yourdomain.com
fi
Automating SSH in Scripts and CI/CD
Deploy Keys for CI/CD
For automated deployments, use deploy keys — dedicated SSH key pairs with limited permissions.
# Generate a deploy key (no passphrase for automation)
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_deploy -C "github-actions-deploy" -N ""
# -N "" sets empty passphrase (required for automation)
# The public key goes to GitHub repo Settings > Deploy Keys (read-only or read-write)
cat ~/.ssh/id_ed25519_deploy.pub
# The private key goes to GitHub Actions Secrets, GitLab CI Variables, etc.
cat ~/.ssh/id_ed25519_deploy
# Copy this to your CI/CD secret variable (e.g., SSH_PRIVATE_KEY)
# In authorized_keys on the server, restrict the deploy key:
echo 'command="/home/ubuntu/deploy.sh",no-pty,no-agent-forwarding,no-port-forwarding,from="0.0.0.0/0" ssh-ed25519 AAAA...deploy-key... github-actions' >> /home/ubuntu/.ssh/authorized_keys
GitHub Actions SSH Deployment Example
# .github/workflows/deploy.yml
name: Deploy to Production
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup SSH
uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: $ secrets.SSH_PRIVATE_KEY
- name: Add server to known_hosts
run: |
mkdir -p ~/.ssh
ssh-keyscan -p 2222 -H your-server-ip >> ~/.ssh/known_hosts
- name: Deploy
run: |
ssh -p 2222 ubuntu@your-server-ip 'cd /var/www/app && git pull && npm install && pm2 restart app'
SSH in Shell Scripts
#!/bin/bash
# Remote command execution in scripts
SERVER="ubuntu@your-server-ip"
KEY="~/.ssh/id_ed25519_deploy"
PORT="2222"
# Execute a single command
ssh -i "$KEY" -p "$PORT" "$SERVER" 'uptime'
# Execute multiple commands
ssh -i "$KEY" -p "$PORT" "$SERVER" << 'ENDSSH'
cd /var/www/app
git pull origin main
npm ci --production
pm2 restart all
pm2 save
ENDSSH
# Check exit code
if [ $? -eq 0 ]; then
echo "Deployment succeeded"
else
echo "Deployment failed"
exit 1
fi
# StrictHostKeyChecking for automation (only if you pre-populate known_hosts)
ssh -i "$KEY" -p "$PORT" \
-o StrictHostKeyChecking=yes \
-o BatchMode=yes \
"$SERVER" 'deploy command'
# BatchMode=yes: fail immediately if user interaction is needed
# (prevents scripts from hanging waiting for password/passphrase)
SSH Two-Factor Authentication (2FA)
For environments requiring the highest security, you can combine SSH keys with TOTP (Time-based One-Time Passwords) for two-factor authentication.
# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator
# Run setup for your user (creates ~/.google_authenticator)
google-authenticator
# Answer questions:
# Time-based tokens: y
# Update .google_authenticator file: y
# Disallow multiple uses: y
# Extend window: n
# Rate limiting: y
# Configure PAM for SSH
# Edit /etc/pam.d/sshd:
sudo nano /etc/pam.d/sshd
# Add at the top:
# auth required pam_google_authenticator.so
# Configure SSH daemon for 2FA
# Edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
# Set:
# ChallengeResponseAuthentication yes
# KbdInteractiveAuthentication yes
# UsePAM yes
# AuthenticationMethods publickey,keyboard-interactive
# Test config
sudo sshd -t
sudo systemctl reload sshd
# Now login requires: SSH key + TOTP code
# Install Google Authenticator or Authy app
# Scan the QR code shown during setup
Fail2ban: Automated Brute Force Protection
Fail2ban monitors log files and automatically bans IPs showing malicious behavior (too many failed login attempts).
Installation and Configuration
# Install fail2ban
sudo apt install fail2ban # Ubuntu/Debian
sudo dnf install fail2ban # AlmaLinux/Rocky
# Create local config (never edit main config — it gets overwritten on updates)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Recommended SSH Jail Configuration
# /etc/fail2ban/jail.local
[DEFAULT]
# Ban duration (seconds)
# 3600 = 1 hour, 86400 = 24 hours
bantime = 86400
# Time window for counting failures (seconds)
findtime = 600
# Number of failures before ban
maxretry = 5
# Email alerts (optional)
# destemail = admin@yourdomain.com
# sender = fail2ban@yourdomain.com
# mta = sendmail
# action = %(action_mwl)s # ban + email with log lines
# Ignore these IPs (add your own IP)
ignoreip = 127.0.0.1/8 ::1 YOUR_HOME_IP_HERE
[sshd]
enabled = true
port = 2222 # Change to your SSH port
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 86400
Managing Fail2ban
# Start and enable fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
# Check status of all jails
sudo fail2ban-client status
# Check SSH jail specifically
sudo fail2ban-client status sshd
# Shows: Currently banned IPs, total banned, etc.
# Manually ban an IP
sudo fail2ban-client set sshd banip 203.0.113.100
# Unban an IP
sudo fail2ban-client set sshd unbanip 203.0.113.100
# View fail2ban logs
sudo tail -50 /var/log/fail2ban.log
# Test regex matching (verify fail2ban can parse your SSH logs)
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
SSH Security Checklist
Use this checklist every time you set up a new VPS:
Authentication:
- [ ] SSH key pair generated with Ed25519 (or RSA 4096)
- [ ] Private key protected with a strong passphrase
- [ ] Public key copied to server's
authorized_keys - [ ]
PasswordAuthentication noin sshd_config - [ ]
PermitRootLogin noin sshd_config - [ ]
PermitEmptyPasswords noin sshd_config - [ ]
MaxAuthTries 3or lower set
Access Control:
- [ ] Non-root admin user created with sudo access
- [ ]
AllowUsersorAllowGroupsconfigured (if applicable) - [ ] SSH port changed from 22 (optional, reduces log noise)
- [ ] Firewall allows new SSH port
- [ ] Source IP restrictions in authorized_keys (if applicable)
Session Security:
- [ ]
LoginGraceTime 20(or lower) - [ ]
ClientAliveInterval 300andClientAliveCountMax 2 - [ ]
X11Forwarding no(unless needed)
Cryptography:
- [ ] Strong key exchange algorithms configured
- [ ] Weak ciphers disabled
- [ ] Only modern MACs enabled
Monitoring:
- [ ]
LogLevel VERBOSEin sshd_config - [ ] Fail2ban installed and configured
- [ ] Log monitoring set up (logwatch or custom alerts)
Key Management:
- [ ] SSH key inventory maintained (who has access to what)
- [ ] Deploy keys have restricted commands in authorized_keys
- [ ] Key rotation schedule established
- [ ] Offboarding process: revoke keys when people leave
FAQ
1. I locked myself out of my VPS after changing SSH config. What do I do?
This is why you always test from a NEW terminal window before closing the original session. If you're locked out:
- Use your cloud provider's web console (AWS EC2 Console, DigitalOcean Console, Hetzner Web Console) to access the server without SSH
- Or boot into recovery mode through the cloud provider
- Fix the sshd_config error and restart SSH
Prevention: Before reloading SSH, always:
sudo sshd -t # test config
# Open NEW terminal and test connection
# Only then close the original terminal
2. How do I find the correct username for SSH login?
This depends on your cloud provider's default image:
Ubuntu → ubuntu
Debian → admin or root
CentOS/AlmaLinux/Rocky → ec2-user (AWS) or root
AWS Amazon Linux → ec2-user
DigitalOcean → root (first login), then create your own user
Your provider's control panel will show the correct username.
3. "Permission denied (publickey)" — how do I debug this?
# Step 1: Connect with maximum verbosity to see what's happening
ssh -vvv username@server-ip
# Look for lines like:
# debug1: Offering public key: /path/to/key
# debug1: Server accepts key
# or:
# debug1: No more authentication methods to try
# Step 2: Check authorized_keys on the server
cat ~/.ssh/authorized_keys
# Is your key in there?
# Step 3: Check permissions
ls -la ~/.ssh
# .ssh should be 700
# authorized_keys should be 600
# Step 4: Check SELinux context (on RHEL-based systems)
ls -laZ ~/.ssh
# Context should be: system_u:object_r:ssh_home_t:s0
restorecon -Rv ~/.ssh
4. Should I use port 22 or change SSH port?
Changing from port 22 to a high port (like 2222 or 22222) is commonly called "security through obscurity" and is not a primary security measure. It will:
- Reduce automated scan noise in your logs
- NOT stop targeted attacks (attackers scan all ports)
- Break tools/scripts that assume port 22
Verdict: Optional quality-of-life improvement. More important: disable password auth, disable root login, use fail2ban.
5. Is it safe to use ForwardAgent?
Agent forwarding is safe only to servers you fully control and trust. On a shared server or any server where others have root access, agent forwarding is risky — root can access your SSH agent socket and authenticate as you. Best practice:
- Use
ForwardAgent yesonly for specific hosts in your~/.ssh/config - Consider
ProxyJumpinstead of agent forwarding for jump host scenarios
6. How do I SSH from Windows?
Modern Windows (10/11) has native OpenSSH built in:
# In PowerShell or Command Prompt
ssh ubuntu@your-server-ip
# Generate key
ssh-keygen -t ed25519
# Copy key to server
type $env:USERPROFILE\.ssh\id_ed25519.pub | ssh ubuntu@server "cat >> ~/.ssh/authorized_keys"
Alternatives: PuTTY (traditional, uses .ppk format), Windows Terminal (modern, recommended), WSL2 (Linux environment inside Windows).
7. My SSH connection keeps dropping. How do I fix it?
# On CLIENT (~/.ssh/config):
Host *
ServerAliveInterval 60
ServerAliveCountMax 3
TCPKeepAlive yes
# On SERVER (/etc/ssh/sshd_config):
ClientAliveInterval 60
ClientAliveCountMax 3
# If on mobile/unreliable network, use Mosh instead:
# sudo apt install mosh
# mosh ubuntu@server
8. Can I have multiple SSH keys for the same server?
Yes. Each user's authorized_keys file can contain multiple public keys, one per line. Common use cases:
- Your work laptop key + personal laptop key
- Your key + team member's key (for shared admin servers)
- Regular key + emergency backup key stored in a vault
Each key can have different options (source IP restrictions, command restrictions) on the same line.
Conclusion
SSH is simultaneously your most powerful tool and your most critical security boundary as a server administrator. The good news: securing it properly is not difficult, and the patterns are well-established.
The five most impactful things you can do right now:
- Disable password authentication —
PasswordAuthentication noin sshd_config - Disable root login —
PermitRootLogin noafter creating a non-root admin user - Use Ed25519 keys with passphrases — for all SSH authentication
- Install and configure fail2ban — to automatically block brute force attackers
- Set up log monitoring — so you know when someone attempts unauthorized access
The ~/.ssh/config file and SSH tunneling/jump hosts are quality-of-life improvements that, once adopted, you'll wonder how you lived without.
SSH security is not a one-time configuration — it's an ongoing practice. Rotate your keys periodically, audit your authorized_keys files when team members change, and review your SSH logs regularly. An incident discovered in the logs is recoverable; one discovered after the attacker has been present for weeks is not.
Call to Action
Have you ever been locked out of a VPS or discovered suspicious SSH logins in your logs? Share what happened and how you responded in the comments.
For more guides in this series:
- 📌 How to Fix Server Down and Website Inaccessible Quickly — what to do when SSH itself is the problem
- 📌 Ubuntu Server vs Debian vs CentOS — choosing the right OS before you set up SSH
- 📌 25 Linux Commands Every Professional Server Administrator Must Master — the command-line foundation for SSH and beyond
Additional SEO Data
Primary Keyword: how to use SSH securely, SSH VPS remote management, secure SSH configuration
LSI Keywords: SSH key authentication, sshd_config hardening, SSH brute force protection, fail2ban SSH, SSH tunneling, SSH jump host, SCP file transfer
Semantic Keywords: remote server management, public key authentication, SSH port forwarding, server security, Linux administration, SSH config file, authorized keys
Long Tail Keywords: how to disable SSH password authentication, SSH key pair generation Ed25519, how to harden sshd_config, SSH brute force attack prevention, SSH tunneling to access database
Question Keywords: Is SSH secure by default?, How do I set up SSH key authentication?, What port should SSH use?, How to prevent SSH brute force attacks?
Entity Keywords: OpenSSH, Ed25519, RSA, fail2ban, SCP, SFTP, rsync, authorized_keys, known_hosts, SSH agent, TOTP, Google Authenticator, PuTTY
Meta Title: How to Use SSH Securely to Manage Your VPS Remotely (Complete Guide 2026)
Meta Description: Complete guide to using SSH securely for VPS management — key generation, sshd_config hardening, fail2ban, tunneling, jump hosts, file transfer, and automation.
Slug: how-to-use-ssh-securely-manage-vps-remotely
Blogger Tags: SSH, Security, VPS, Linux, Server Administration, Fail2ban, SSH Keys, Cryptography, DevOps, Remote Access
Category: Linux, Server Security, VPS Management, SSH
Alt Image: SSH security configuration diagram showing key-based authentication flow
Caption Image: How SSH public key authentication works — secure remote server access without passwords
{
"@context": "<https://schema.org>",
"@type": "Article",
"headline": "How to Use SSH Securely to Manage Your VPS Remotely: The Complete Guide",
"description": "Complete guide to SSH security for VPS management — key generation, sshd_config hardening, fail2ban, tunneling, jump hosts, file transfer, and CI/CD automation.",
"author": {
"@type": "Person",
"name": "CloudAdminHub"
},
"publisher": {
"@type": "Organization",
"name": "CloudAdminHub"
},
"datePublished": "2026-06-15",
"dateModified": "2026-06-15",
"mainEntityOfPage": {
"@type": "WebPage",
"@id": "<https://cloudadminhub.blogspot.com/2026/06/how-to-use-ssh-securely-manage-vps-remotely.html>"
}
}
{
"@context": "<https://schema.org>",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "How do I make SSH more secure on my VPS?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The five most important SSH security steps are: (1) Disable password authentication by setting PasswordAuthentication no in sshd_config, (2) Disable root login with PermitRootLogin no, (3) Use Ed25519 key pairs with passphrases, (4) Install fail2ban for automatic brute force protection, and (5) Set up log monitoring to detect unauthorized access attempts."
}
},
{
"@type": "Question",
"name": "What is the best SSH key type to use in 2026?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Ed25519 is the recommended SSH key type in 2026. It provides excellent security with small key sizes and fast operations. For legacy systems that don't support Ed25519, use RSA with a 4096-bit key. Never use DSA (deprecated and insecure) or RSA with less than 4096 bits."
}
},
{
"@type": "Question",
"name": "How do I prevent SSH brute force attacks?",
"acceptedAnswer": {
"@type": "Answer",
"text": "The most effective combination: (1) Disable password authentication entirely (use keys only), which makes brute force computationally infeasible. (2) Install fail2ban to automatically ban IPs with too many failed attempts. (3) Set MaxAuthTries 3 in sshd_config to limit attempts per connection. (4) Optionally change the SSH port from 22 to reduce automated scan noise."
}
}
]
}
OG Title: How to Use SSH Securely to Manage Your VPS Remotely (2026)
OG Description: The complete SSH security guide — key generation, sshd_config hardening, fail2ban, port forwarding, jump hosts, file transfer with SCP/rsync, and deployment automation.
twitter:card = summary_large_image
twitter:title = How to Use SSH Securely to Manage Your VPS Remotely
twitter:description = Complete SSH security guide — keys, sshd_config hardening, fail2ban, tunneling, jump hosts, and CI/CD automation for Linux VPS admins.
Recommended External Links:
Komentar
Posting Komentar