HostnExtra Logo
Global Dedicated Servers HostnExtra

Featured Category

Firewall

Programming

Web Servers

Database

Tools

Security

Linux Basics

All Categories

Latest Tutorials

Go back

Secure SSH on AlmaLinux 10 with Key Authentication and Fail2ban

Security

By Jennifer Webb

Updated on Jun 04, 2026

Secure SSH on AlmaLinux 10 with Key Authentication and Fail2ban

Learn how to secure SSH on AlmaLinux 10 using SSH key authentication and Fail2ban. Disable password logins, prevent brute force attacks, and improve server security.

SSH is the primary way administrators connect to Linux servers. Because it is exposed to the internet on many systems, it is also one of the most frequently targeted services.

Automated bots continuously scan IP ranges looking for servers that allow password authentication. Once found, they begin trying thousands of username and password combinations in an attempt to gain access.

A properly secured SSH configuration dramatically reduces this risk.

In this guide, we will secure SSH on AlmaLinux 10 by:

  • Configuring SSH key authentication
  • Disabling root login
  • Disabling password authentication
  • Installing Fail2ban
  • Blocking brute force login attempts

By the end of this tutorial, your AlmaLinux 10 server will have a much stronger SSH security posture.

Prerequisites

Before starting, make sure you have:

  • An AlmaLinux 10 dedicated server
  • Root or sudo access
  • An SSH client on your local computer
  • Access to the server's IP address

Step 1: Update the Server

Start by updating installed packages.

sudo dnf update -y

Keeping your server updated ensures you have the latest security fixes and package updates.

Step 2: Generate an SSH Key Pair

SSH keys provide significantly stronger protection than passwords.

On your local computer, generate an Ed25519 key pair:

ssh-keygen -t ed25519 -C "almalinux-server"

Press Enter to accept the default location.

You will then be prompted to create a passphrase.

A passphrase is recommended because it protects your private key if your workstation is ever compromised.

Once complete, the following files will be created:

~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub

The private key stays on your local computer.

The public key will be uploaded to the server.

Step 3: Copy the Public Key to the Server

Use the following command:

ssh-copy-id username@server_ip

Example:

ssh-copy-id [email protected]

Enter your current SSH password when prompted.

If ssh-copy-id is unavailable:

cat ~/.ssh/id_ed25519.pub

Copy the output and place it inside:

~/.ssh/authorized_keys

on the server.

Step 4: Test SSH Key Authentication

Open a new terminal window and connect to the server.

ssh username@server_ip

If the login succeeds without requesting the server password, key authentication is working correctly.

Keep your original SSH session open until testing is complete.

Step 5: Disable Root Login

Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find:

PermitRootLogin yes

Change it to:

PermitRootLogin no

If the line does not exist, add it manually.

This prevents attackers from attempting direct root logins.

Step 6: Disable Password Authentication

While editing the same file, locate:

PasswordAuthentication yes

Change it to:

PasswordAuthentication no

Also verify these settings exist:

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save and close the file.

Step 7: Validate the SSH Configuration

Before restarting SSH, check the configuration for errors.

sudo sshd -t

If no output appears, the configuration is valid.

Step 8: Restart SSH

Apply the configuration changes.

sudo systemctl restart sshd

Verify service status:

sudo systemctl status sshd

Open another terminal window and verify that SSH key login works.

ssh username@server_ip

Password authentication should no longer work.

Step 9: Verify SELinux Contexts

AlmaLinux uses SELinux by default.

Incorrect SELinux contexts can prevent SSH keys from working properly.

Check your SSH directory:

ls -laZ ~/.ssh

If you suspect SELinux issues, restore the correct context:

restorecon -R -v ~/.ssh

This step solves many SSH key authentication problems on RHEL-based systems.

Step 10: Install Fail2ban

Fail2ban automatically blocks IP addresses that repeatedly fail authentication.

Install Fail2ban:

sudo dnf install epel-release -y
sudo dnf install fail2ban fail2ban-firewalld -y

Enable the service:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Verify status:

sudo systemctl status fail2ban

Step 11: Configure Fail2ban for SSH

Create a local configuration file:

sudo nano /etc/fail2ban/jail.local

Add:

[sshd]
enabled = true
port = ssh
logpath = /var/log/secure
backend = systemd
maxretry = 5
findtime = 10m
bantime = 1h

Save the file.

Restart Fail2ban:

sudo systemctl restart fail2ban

Step 12: Check Fail2ban Status

View active jails:

sudo fail2ban-client status

Example output:

Status
|- Number of jail: 1
`- Jail list: sshd

View SSH protection details:

sudo fail2ban-client status sshd

This shows:

  • Failed login attempts
  • Banned IP addresses
  • Current jail status

Step 13: Monitor SSH Security Events

View SSH authentication logs:

sudo tail -f /var/log/secure

View Fail2ban activity:

sudo journalctl -u fail2ban -f

These logs help identify suspicious activity and blocked attackers.

Final Security Checklist

Before considering SSH secure, verify the following:

  • SSH keys are configured
  • Root login is disabled
  • Password authentication is disabled
  • SSH configuration passes validation
  • SELinux contexts are correct
  • Fail2ban is active
  • System packages are updated regularly
  • Login testing succeeds from a separate terminal

Conclusion

Securing SSH on AlmaLinux 10 requires only a few minutes but provides substantial security benefits.

By replacing passwords with SSH keys, disabling direct root access, and using Fail2ban to block repeated login failures, you significantly reduce the risk of unauthorized access and automated attacks.

These simple changes form a strong foundation for any production server running AlmaLinux 10.