Securing Your OpenSSH Server on Debian and Ubuntu


Securing an OpenSSH server is crucial to maintaining the integrity and confidentiality of your network communications. This guide provides comprehensive steps on enhancing the security of your OpenSSH installation on Debian and Ubuntu systems, focusing on public key-only authentication, firewall configurations, and the setup of a chroot environment.

Public Key Authentication

Using public key-only authentication for privileged accounts such as the root user enhances security by eliminating the risks associated with password-based authentication. To set this up:

  1. Generate an SSH key pair: If you do not have an SSH key, generate one using ssh-keygen. Run the following command and follow the prompts:
    ssh-keygen -t rsa -b 4096
  2. Copy the public key to your server: Use ssh-copy-id to add your public key to the server's authorized keys:
  3. Configure SSH: Edit the SSH configuration file /etc/ssh/sshd_config:
    PermitRootLogin prohibit-password
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
    Then restart SSH:
    sudo systemctl restart sshd

Configuring a Firewall

A properly configured firewall can restrict access to SSH services to only known IPs, significantly reducing the attack surface. For Ubuntu and Debian, ufw (Uncomplicated Firewall) is commonly used:

sudo ufw allow from to any port 22
sudo ufw enable

Replace with the IP range that you wish to allow. This command configures the firewall to only accept SSH connections from within the specified IP range.

Creating a Chroot Environment

Setting up a chroot environment for SSH users can enhance system security by isolating user activities to specific directories. Here’s how you can deploy a chroot using debootstrap on Debian:

  1. Install debootstrap: First, install the debootstrap package:
    sudo apt-get install debootstrap
  2. Create a chroot directory: For example, to create a chroot for user directories in /home/chroot:
    sudo mkdir /home/chroot
    Then setup a basic Debian system inside:
    sudo debootstrap --arch amd64 bullseye /home/chroot
  3. Configure SSH for chroot: Edit /etc/ssh/sshd_config and add:
    Match User username
        ChrootDirectory /home/chroot
        X11Forwarding no
        AllowTcpForwarding no
        PermitTTY yes
        ForceCommand internal-sftp
    Restart SSH to apply changes:
    sudo systemctl restart sshd

Maintaining Security with Regular Updates

Keeping your server's software up-to-date is crucial. Regular updates can protect against vulnerabilities that could be exploited by attackers. For managing patches efficiently, consider using a dedicated patch management solution.

Visit for Patch Management


By following the steps outlined in this guide, you can significantly enhance the security of your OpenSSH server on Debian and Ubuntu. Implementing public key authentication, configuring a firewall, and setting up a chroot environment are effective strategies to protect your systems against unauthorized access.