HostnExtra Logo
Global Dedicated Servers HostnExtra

Featured Category

Firewall

Programming

Web Servers

Database

Tools

Security

Linux Basics

All Categories

Latest Tutorials

Go back

Secure SSH on Ubuntu 26.04 with Key Authentication and Fail2ban

Security

By Jennifer Webb

Updated on Jun 04, 2026

Secure SSH on Ubuntu 26.04 with Key Authentication and Fail2ban

Secure SSH on Ubuntu 26.04 with Key Authentication and Fail2ban

SSH is one of the most important services running on a Linux server. It allows administrators to connect remotely and manage systems from anywhere. Because SSH is exposed to the internet on many servers, it is also one of the first targets for automated attacks.

Attackers constantly scan servers looking for weak passwords and unsecured SSH configurations. Even a freshly deployed server can start receiving login attempts within hours.

Fortunately, securing SSH is straightforward. By switching to SSH key authentication and using Fail2ban to block suspicious login attempts, we can significantly improve server security.

In this guide, we will:

  • Configure SSH key authentication
  • Disable root login
  • Disable password authentication
  • Install and configure Fail2ban
  • Protect the server against brute force attacks

By the end of this tutorial, your Ubuntu 26.04 server will have a much stronger SSH security setup.

Prerequisites

Before starting, make sure you have:

  • An Ubuntu 26.04 dedicated server
  • Root or sudo privileges
  • SSH access to the server
  • A Linux, macOS, or Windows computer

Step 1: Update the Server

Start by updating the package index and installed packages.

sudo apt update
sudo apt upgrade -y

Keeping the system updated helps ensure you have the latest security patches installed.

Step 2: Install OpenSSH Server

Many cloud providers install SSH automatically, but it is worth verifying.

Check the SSH service status:

sudo systemctl status ssh

If OpenSSH Server is not installed, install it:

sudo apt install openssh-server -y

Enable SSH at boot:

sudo systemctl enable ssh

Start the service:

sudo systemctl start ssh

Verify that SSH is running:

sudo systemctl status ssh

You should see the service listed as active.

Step 3: Generate an SSH Key Pair

SSH keys provide a much stronger authentication method than passwords.

On your local computer, generate a new Ed25519 key pair:

ssh-keygen -t ed25519 -C "ubuntu-server"

Press Enter to accept the default file location.

You will then be prompted to create a passphrase.

Using a passphrase is recommended because it adds another layer of protection to your private key.

After the process completes, two files will be created:

~/.ssh/id_ed25519
~/.ssh/id_ed25519.pub

The private key remains on your local computer.

The public key will be uploaded to the server.

Step 4: Copy the Public Key to the Server

The easiest method is using ssh-copy-id.

ssh-copy-id username@server_ip

Example:

ssh-copy-id [email protected]

Enter your existing SSH password when prompted.

If ssh-copy-id is not available, display the public key manually:

cat ~/.ssh/id_ed25519.pub

Copy the output and add it to:

~/.ssh/authorized_keys

on the server.

Step 5: Test SSH Key Authentication

Open a new terminal window and connect to the server.

ssh username@server_ip

If the login succeeds without asking for the server password, key authentication is working correctly.

Do not close your original SSH session yet.

Always keep a working session open while testing SSH changes.

Step 6: Create a Custom SSH Security Configuration

Ubuntu 26.04 supports configuration snippets through the sshd_config.d directory.

Instead of modifying the main SSH configuration file directly, create a custom security configuration file.

sudo nano /etc/ssh/sshd_config.d/99-security.conf

Add the following settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save and close the file.

What These Settings Do

PermitRootLogin no

Prevents direct root logins through SSH.

PasswordAuthentication no

Disables password based logins.

PubkeyAuthentication yes

Allows SSH key authentication.

ChallengeResponseAuthentication no

Disables challenge response authentication methods that are no longer needed in most environments.

Step 7: Validate the SSH Configuration

Before restarting SSH, verify that the configuration contains no errors.

sudo sshd -t

If no output appears, the configuration is valid.

If errors are displayed, correct them before proceeding.

Step 8: Restart SSH

Apply the configuration changes.

sudo systemctl restart ssh

Verify the service status:

sudo systemctl status ssh

Now open another terminal window and test SSH access again.

ssh username@server_ip

You should successfully log in using your SSH key.

Password authentication should no longer work.

Step 9: Install Fail2ban

Fail2ban monitors log files and automatically blocks IP addresses that generate repeated failed login attempts.

Install Fail2ban:

sudo apt install fail2ban -y

Enable the service:

sudo systemctl enable fail2ban

Start Fail2ban:

sudo systemctl start fail2ban

Verify the service status:

sudo systemctl status fail2ban

Step 10: Configure Fail2ban for SSH Protection

Create a local Fail2ban configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following configuration:

[sshd]
enabled = true
port = ssh
backend = systemd
maxretry = 5
findtime = 10m
bantime = 1h

Save and close the file.

Understanding the Configuration

enabled = true

Enables protection for SSH.

maxretry = 5

Allows five failed login attempts before action is taken.

findtime = 10m

Counts failed attempts within a ten minute period.

bantime = 1h

Blocks offending IP addresses for one hour.

backend = systemd

Uses Ubuntu's systemd journal logs to detect authentication failures.

Step 11: Restart Fail2ban

Apply the new configuration.

sudo systemctl restart fail2ban

Verify that the SSH jail is active:

sudo fail2ban-client status

Example output:

Status
|- Number of jail: 1
`- Jail list: sshd

Check SSH jail details:

sudo fail2ban-client status sshd

This displays:

  • Currently banned IP addresses
  • Total failed login attempts
  • Current protection status

Step 12: Monitor SSH Activity

View SSH authentication logs in real time:

sudo journalctl -u ssh -f

Monitor Fail2ban activity:

sudo journalctl -u fail2ban -f

These commands are useful when troubleshooting login issues or monitoring security events.

Final Security Checklist

Before considering your SSH setup secure, verify the following:

  • SSH keys are configured and working
  • Root login is disabled
  • Password authentication is disabled
  • SSH configuration passes validation
  • Fail2ban is installed and active
  • Ubuntu packages are updated regularly
  • SSH login testing succeeds from a new terminal session

Conclusion

SSH security is often overlooked until a server starts receiving thousands of login attempts from automated bots. Fortunately, securing SSH on Ubuntu 26.04 requires only a few simple changes.

By replacing passwords with SSH keys, disabling direct root access, and deploying Fail2ban, you create multiple layers of protection that significantly reduce the risk of unauthorized access.

These steps take only a few minutes to implement but can prevent many of the most common attacks against internet facing Linux servers.