Varidata News Bulletin
Knowledge Base | Q&A | Latest Technology | IDC Industry News
Varidata Blog

How to protect your SSH port from scanning

Release Date: 2026-07-13
SSH port scanning protection diagram for server security

To prevent SSH port scanning and attacks, you need strong protection. Start by changing your SSH port to a non-standard number. Use a firewall to block unwanted access. Only allow trusted IPs to connect. Set up key-based authentication for your service. Disable root login. Enable two-factor authentication for extra protection. With these steps, you increase your security and lower your risk.

Prevent SSH port scanning

You can reduce your risk of ssh port scanning by making your service harder to find and access. Attackers often use automated tools to scan networks for open ports. If you take steps to hide or protect your port, you make it much more difficult for these tools to find your server. Here are three effective methods you can use right away.

Change SSH port

Most attackers look for ssh on port 22. If you move your service to a different port, you avoid many automated scans. This simple change does not stop a determined attacker, but it blocks most basic port scanning attempts.

How to change your port:

  1. Open your configuration file.

    sudo nano /etc/ssh/sshd_config
  2. Find the line that says Port 22. Change 22 to another number between 1024 and 65535.

  3. Save the file and exit.

  4. Restart the service.

    sudo systemctl restart sshd
  5. Update your firewall rules to allow the new port.

  6. Connect to your server using the new port.

    ssh -p [new_port] user@your_server_ip

Changing the port does not make your ssh invisible, but it helps you avoid most automated port scanning.

Use port knocking

Port knocking adds another layer of protection to your service. You keep your port closed until you send a secret sequence of connection attempts. Only after you send the correct sequence does your server open the port for you.

  • Port knocking requires you to try connecting to a series of closed ports in a specific order.

  • The port stays closed until you complete the correct sequence.

  • Attackers cannot see your port during normal scans, so they cannot attack it.

How to set up port knocking:

  1. Install a port knocking tool, such as knockd.

    sudo apt-get install knockd
  2. Edit the knockd configuration file, usually at /etc/knockd.conf.

  3. Set your secret sequence of ports and the command to open the port.

  4. Start the knockd service.

    sudo systemctl start knockd
  5. Use a port knocking client to send the sequence before you connect.

Deploy SSH honeypot

A honeypot tricks attackers by pretending to be a real ssh service. When someone tries to connect, the honeypot records their actions. You use this information to spot attacks and learn about threats.

Steps to deploy an ssh honeypot:

  1. Choose a honeypot tool, such as Cowrie or Kippo.

  2. Install the honeypot on your server or a separate machine.

  3. Configure the honeypot to listen on port 22 or another port you want to monitor.

  4. Set your real service to a different port.

  5. Monitor the honeypot logs for suspicious activity.

By changing your port, using port knocking, and deploying a honeypot, you make the port scanning much harder for attackers. These steps help you protect your server from unwanted access and keep your service secure.

Restrict SSH with firewalls

Allowlist trusted IPs

You can greatly improve your security by allowing only trusted IP addresses to connect. When you set up your firewall to accept the connections from specific IPs, you close the door to everyone else. This step stops most attackers before they even reach your login prompt.

Allowlisting trusted IPs reduces the number of ssh brute-force attempts. Attackers scan large ranges of addresses, but your firewall blocks them if their IP is not on your list. This action lowers your risk of unauthorized access and keeps your server safer.

To allowlist trusted IPs for ssh:

  1. Identify the IP addresses you trust, such as your office or home network.

  2. Add rules to your firewall to permit the traffic only from these IPs.

  3. Test your connection to make sure you can still access your server.

  4. Update your list if your trusted IPs change.

Tip: If you travel or use dynamic IPs, consider using a VPN to connect from a fixed address.

Block unauthorized access

Blocking unauthorized access at the firewall level gives you strong protection. You stop attackers before they can even try to guess your password or key. Many organizations use this method to prevent unwanted connections.

The table below shows how blocking unauthorized ssh access leads to better security outcomes:

Description

Outcome

Implementation of firewall to block SSH and RDP communications

No unauthorized attacks against servers using administrative communication were reported.

Use of Safous Privileged Remote Access for secure access

Demonstrated success over more than a year without any unauthorized attacks.

You can set your firewall to drop all traffic except from your allowlist. This approach makes your server almost invisible to most attackers. You protect your data and reduce the risk of a breach.

Protect SSH access with authentication

Disable root login

You should disable root login to protect the access from brute-force attacks. Attackers often target the root account because it gives them full control. When you disable root login, you force attackers to guess both a valid username and password, making their job much harder.

  • Disabling root login prevents direct targeting of the root account.

  • Users must log in with standard accounts, which complicates attacks.

  • Privilege escalation becomes necessary, adding another security layer.

To safely disable root login on your server:

  • Use sudo chmod 600 /etc/ssh/sshd_config to set the correct permissions for your SSH configuration file.

  • Run sudo sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config to update the setting.

Restart your ssh service after making these changes.

Enforce key-based authentication

Key-based authentication gives you a much stronger way to secure ssh than passwords. You generate a public and private key pair. You keep the private key safe and upload the public key to your server. Attackers cannot log in without your private key, even if they know your username.

To enforce key-based authentication:

  1. Generate a key pair with ssh-keygen.

  2. Copy your public key to the server using ssh-copy-id user@server.

  3. Edit /etc/ssh/sshd_config and set PasswordAuthentication no.

  4. Restart the service.

You should use key-based authentication for every account. This method blocks most brute-force attacks and helps protect the access.

Enable 2FA

Adding 2fa, also called mfa or multi-factor authentication, gives you another layer of protection. With 2fa, you need something you know (your password or key) and something you have (a code or device).

  • 2fa adds an extra verification step beyond just a password or ssh key.

  • Even if an attacker gets your key, they still need the second factor.

  • This method helps defend against many types of credential theft.

Authentication Method

Description

Time-based one-time passwords (TOTP)

Generates a code for sign-in, requiring a password manager or authenticator app.

U2F or WebAuthn devices

Requires physical interaction with a device for secure authentication during sign-in.

You can choose the 2fa solution that fits your needs. Both options make the attacks much less likely to succeed.

Prevent empty passwords

Allowing empty passwords for SSH accounts poses significant security risks, as it makes systems vulnerable to unauthorized access and brute-force attacks. Security guidelines strongly recommend disabling empty passwords to enhance security.

To prevent empty passwords:

  • Open /etc/ssh/sshd_config in Vim.

  • Find the line that reads PermitEmptyPasswords.

  • Uncomment it and set the value to no.

This simple step closes a major security gap and helps you maintain strong protection.

Strengthen SSH encryption

You need to use strong encryption to keep your ssh connections safe. Attackers often try to break weak encryption. When you use strong encryption, you make it much harder for anyone to read your data or steal your credentials. You should always check your settings to make sure you use the best options for encryption.

Use strong ciphers and MACs

Ciphers and MACs (Message Authentication Codes) protect your traffic. Ciphers scramble your data so no one can read it. MACs make sure no one changes your data while it travels across the network. You should pick only the strongest options for both.

You can set these options in your ssh configuration file. Open /etc/ssh/sshd_config and add or update these lines:

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512

Restart your service after you save the file. This step ensures your ssh uses strong encryption every time you connect.

Tip: Review your encryption settings after every major update. New standards may appear, and you want to keep your encryption strong.

Set SSH banner message

A banner message warns users before they log in. You can use it to tell users about your security rules or warn attackers that you monitor ssh access. A clear banner does not improve encryption, but it helps you set expectations and may stop some attacks.

To set a banner message:

  1. Create a text file with your message, such as /etc/ssh/sshd_banner.

  2. Add this line to your configuration file:

    Banner /etc/ssh/sshd_banner
  3. Restart your service.

A good banner message reminds users to follow your rules and shows that you take strong encryption and ssh security seriously.

Monitor and update SSH security

Enable SSH logging

You need to enable logging for your service to keep track of who tries to access your server. Logging helps you capture important events and spot problems early. When you turn on the logging, you can:

  • Record every login attempt, both successful and failed.

  • Track suspicious activity, such as repeated password guesses.

  • Set up alerts for unusual events, so you can act fast.

  • Identify intrusion attempts by checking for unauthorized actions.

  • Respond quickly by blocking IP addresses or updating your configuration file.

You can enable logging by making sure your configuration file has the right settings. Most systems log ssh activity by default, but you should check and adjust your settings for better security.

Monitor suspicious activity

You should review your logs often. Watching for signs of trouble helps you stop attacks before they cause damage. Important things to monitor include:

  • Authentication logs that show who tried to log in.

  • Access logs that reveal any strange or unexpected connections.

  • Command histories that can uncover if someone ran harmful commands.

If you see repeated failed logins or unknown users, you should investigate right away. Early action can prevent bigger problems.

Keep SSH updated

You must keep your software up to date. Updates fix security holes and add new features. Attackers often target old versions because they have known weaknesses. You should check for updates regularly and install them as soon as possible.

To update, use your system’s package manager. For example:

sudo apt-get update
sudo apt-get upgrade openssh-server

After updating, review your configuration file to make sure your settings are still correct. Staying current with updates keeps your server safe from new threats.

Best practices to protect SSH access

Regular security audits

You need to perform regular security audits to keep your environment safe. Audits help you find weaknesses and fix them before attackers exploit them. You should follow a clear process to check your settings and user activity.

Here is a table that shows the key steps for a thorough ssh audit:

Step

Description

1

Implement key-based authentication to enhance security.

2

Disable root login to prevent unauthorized access.

3

Enforce strong encryption to protect data in transit.

4

Keep systems updated to mitigate vulnerabilities.

5

Implement multi-factor authentication for added security.

6

Enable logging and monitoring to track access and changes.

7

Implement access controls to restrict user permissions.

8

Use SSH key passphrases to protect private keys.

You should also manage idle connections. Set ClientAliveInterval and ClientAliveCountMax in your configuration file to disconnect inactive sessions. This practice reduces the risk of unauthorized access.

Tip: Schedule audits every quarter. Review logs and settings to spot unusual activity.

Review user accounts

You must review user accounts often to maintain strong ssh security. Remove accounts that no longer need access. Check permissions to make sure users only have what they need.

Create a list of all users with the access. Look for accounts with weak passwords or missing keys. Update or disable these accounts right away.

  • Remove inactive users.

  • Limit permissions for each account.

  • Require key-based authentication for all users.

  • Check for empty passwords and fix them.

You improve your ssh security by following these practices. When you combine regular audits and account reviews, you follow best practices and protect your server from threats.

You can protect your ssh port by changing the default port, setting up firewalls, and using strong authentication. Review your settings often and update your security tools. Stay alert for suspicious activity.

  • Change your port

  • Allow only trusted IPs

  • Enforce key-based authentication

  • Monitor logs and update software

FAQ

What is the safest way to access my server remotely?

You should use ssh with key-based authentication. This method gives you strong security. Always keep your private key safe and never share it.

How often should I update my ssh configuration?

You should review your settings every few months. Check for new security updates and best practices. Update your configuration as needed to stay protected.

Can I use ssh on a public Wi-Fi network?

Yes, you can use ssh on public Wi-Fi. However, always verify the server’s fingerprint before connecting. Use strong authentication and avoid logging in as root.

What should I do if I notice suspicious ssh login attempts?

Act quickly. Block the suspicious IP addresses using your firewall. Change your passwords and review your logs for more signs of trouble.

How do I know if my ssh port is being scanned?

You can check your server logs for repeated connection attempts on your port. Many failed logins or unknown IP addresses may show that someone is scanning your port.

Your FREE Trial Starts Here!
Contact our Team for Application of Dedicated Server Service!
Register as a Member to Enjoy Exclusive Benefits Now!
Your FREE Trial Starts here!
Contact our Team for Application of Dedicated Server Service!
Register as a Member to Enjoy Exclusive Benefits Now!
Telegram Teams