How to Install and Configure an SSH Server on Debian (Complete Guide)

SSH (Secure Shell) is one of the most fundamental protocols in modern server administration. It provides an encrypted, authenticated channel for remotely accessing and managing Linux servers — making it an indispensable tool for system administrators, developers, and anyone running a remote machine. Whether you're managing a VPS Hosting environment or a Dedicated Server, properly installing and hardening your SSH server is one of the first tasks you should complete.

In this comprehensive guide, you'll learn how to install OpenSSH on Debian, configure it securely, set up key-based authentication, and apply best-practice hardening measures to protect your server from unauthorized access.

Prerequisites

Before you begin, make sure you have:

• A Debian-based server (Debian 10 Buster, 11 Bullseye, or 12 Bookworm)
• A non-root user with sudo privileges, or direct root access for initial setup
• Basic familiarity with the Linux command line
• Network access to your server

Step 1: Update Your System and Install OpenSSH Server

Before installing any software, it's good practice to refresh your package index and upgrade existing packages to their latest versions. This ensures compatibility and reduces security vulnerabilities.

sudo apt update && sudo apt upgrade -y

Now install the OpenSSH server package:

sudo apt install openssh-server -y

The package manager will download and install OpenSSH along with any required dependencies. Once the installation completes, the SSH service is typically started automatically.

Verify the SSH Service Is Running

Confirm that the ssh service is active and enabled:

sudo systemctl status ssh

You should see output similar to:

● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since ...

If the service is not running, start it manually and enable it to launch at boot:

sudo systemctl start ssh
sudo systemctl enable ssh

Step 2: Understand the SSH Configuration File

The primary SSH daemon configuration file is located at:

/etc/ssh/sshd_config

This file controls virtually every aspect of how your SSH server behaves — from which port it listens on, to which authentication methods are permitted. Before making any changes, create a backup of the original file:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Now open the file with a text editor:

sudo nano /etc/ssh/sshd_config

The sections below walk you through the most important configuration options.

Step 3: Harden Your SSH Configuration

3.1 Change the Default SSH Port (Recommended)

By default, SSH listens on port 22. This is widely known, and automated bots constantly scan the internet for open port 22 connections to attempt brute-force attacks. Changing the port to a non-standard value significantly reduces this noise.

Locate the following line (it may be commented out with #):

#Port 22

Uncomment it and change the value:

Port 2222

> Note: Choose a port number between 1024 and 65535 that isn't already in use by another service. Common alternatives include 2222, 2200, or 4422. Remember to update your firewall rules accordingly (see Step 5).

3.2 Disable Root Login (Strongly Recommended)

Allowing direct root login over SSH is a significant security risk. If an attacker guesses or brute-forces the root password, they gain complete control of your server. Disable it by finding and modifying this directive:

PermitRootLogin no

If you need to perform administrative tasks, log in as a regular user and escalate privileges using sudo.

3.3 Restrict SSH Access to Specific Users

You can whitelist specific user accounts that are permitted to log in via SSH. This prevents unauthorized or system accounts from being used as entry points:

AllowUsers your_username deploy_user

Alternatively, you can restrict access by group:

AllowGroups sshusers

3.4 Disable Password Authentication (After Setting Up Key Auth)

Once you have SSH key authentication working (see Step 6), disable password-based logins entirely to eliminate brute-force attack vectors:

PasswordAuthentication no

3.5 Additional Hardening Directives

Add or modify the following lines for a more robust security posture:

# Disable empty passwords
PermitEmptyPasswords no

# Limit authentication attempts per connection
MaxAuthTries 3

# Set idle session timeout (seconds)
ClientAliveInterval 300
ClientAliveCountMax 2

# Disable X11 forwarding if not needed
X11Forwarding no

# Use only SSH Protocol 2
Protocol 2

# Restrict to specific address family (IPv4 only example)
AddressFamily inet

Your final /etc/ssh/sshd_config relevant section should look something like this:

Port 2222
PermitRootLogin no
MaxAuthTries 3
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers your_username
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2

Step 4: Validate the Configuration and Restart SSH

Before restarting the service, always test your configuration file for syntax errors. A misconfigured sshd_config can lock you out of your server:

sudo sshd -t

If no errors are returned, apply the changes by restarting the SSH daemon:

sudo systemctl restart ssh

Verify the service restarted cleanly:

sudo systemctl status ssh

> ⚠️ Important: Before closing your current SSH session, open a second terminal window and test the new configuration. This way, if something goes wrong, you still have an active session to fix the issue.

Step 5: Update Firewall Rules

If you're using UFW (Uncomplicated Firewall) — the default firewall tool on Debian — you need to allow traffic on your new SSH port.

If you changed the port to 2222:

sudo ufw allow 2222/tcp
sudo ufw reload

If you kept the default port 22:

sudo ufw allow ssh
sudo ufw reload

Check the current firewall status:

sudo ufw status verbose

If UFW is not yet enabled, activate it (make sure your SSH port is allowed first to avoid lockout):

sudo ufw enable

Step 6: Set Up SSH Key-Based Authentication

SSH key authentication is far more secure than password-based login. It uses asymmetric cryptography — a key pair consisting of a private key (kept secret on your client machine) and a public key (stored on the server). Even if an attacker knows your username, they cannot log in without the private key.

6.1 Generate an SSH Key Pair on Your Client Machine

Run the following command on your local machine (not the server):

ssh-keygen -t ed25519 -C "your_email@example.com"

> Why Ed25519? Ed25519 is a modern elliptic-curve algorithm that offers better security and performance compared to the older RSA algorithm. If your system doesn't support it, use RSA with a 4096-bit key: ssh-keygen -t rsa -b 4096

When prompted, choose a save location (default is ~/.ssh/id_ed25519) and set a strong passphrase for an additional layer of protection.

6.2 Copy the Public Key to Your Server

Use ssh-copy-id to securely transfer your public key to the server:

ssh-copy-id -p 2222 username@your_server_ip

This command appends your public key to ~/.ssh/authorized_keys on the server with the correct permissions.

If ssh-copy-id is not available, you can do it manually:

# On your local machine, display your public key:
cat ~/.ssh/id_ed25519.pub

# On the server, add it to authorized_keys:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "your_public_key_here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

6.3 Test Key-Based Login

From your client machine, connect to the server:

ssh -p 2222 username@your_server_ip

You should be prompted for your key passphrase (not your account password). Once confirmed, you're logged in securely.

6.4 Disable Password Authentication

Now that key-based auth is working, go back to /etc/ssh/sshd_config and ensure:

PasswordAuthentication no

Restart SSH to apply:

sudo systemctl restart ssh

Step 7: Monitor and Maintain SSH Security

Installing and configuring SSH is not a one-time task. Ongoing monitoring is essential to detect intrusion attempts and maintain a secure environment.

Check Failed Login Attempts

sudo journalctl -u ssh | grep "Failed password"

Or using lastb to view failed login attempts:

sudo lastb | head -20

Install Fail2Ban to Block Brute-Force Attacks

Fail2Ban monitors log files and automatically bans IP addresses that show malicious behavior (such as repeated failed login attempts):

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Create a local jail configuration for SSH:

sudo nano /etc/fail2ban/jail.local

Add the following:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

Restart Fail2Ban to apply:

sudo systemctl restart fail2ban

Keep OpenSSH Updated

Regularly update OpenSSH to patch known vulnerabilities:

sudo apt update && sudo apt upgrade openssh-server -y

Connecting to Your SSH Server: Quick Reference

Choosing the Right Hosting Environment for SSH

The steps in this guide apply to any Debian-based server, but the type of hosting you use affects how you access and manage your environment:

• VPS Hosting: A VPS with cPanel or other VPS Control Panels gives you full root SSH access alongside a graphical management interface — ideal for users who want both power and convenience.
• Dedicated Servers: With a Dedicated Server, you have complete hardware-level control, making SSH configuration even more critical as you're solely responsible for the security of the machine.
• Shared Hosting: Shared Web Hosting plans typically provide limited or no SSH access, as the environment is shared among multiple users. If SSH is a requirement, upgrading to a VPS is the recommended path.

Conclusion

Installing and configuring an SSH server on Debian is a foundational skill for any system administrator or developer working with remote Linux servers. By following this guide, you have:

• ✅ Installed OpenSSH Server on Debian
• ✅ Hardened the SSH configuration by changing the default port, disabling root login, and restricting user access
• ✅ Set up SSH key-based authentication for passwordless, secure logins
• ✅ Configured firewall rules to protect your SSH port
• ✅ Implemented Fail2Ban to defend against brute-force attacks
• ✅ Established a monitoring and maintenance routine

A properly secured SSH server dramatically reduces your attack surface and gives you a reliable, encrypted gateway to manage your infrastructure remotely. Whether you're just getting started with your first server or hardening a production environment, these practices are essential building blocks of a secure Linux system.