https://ygramitzky.de/tags/ssh/Recent content in SSH on Yanis Gramitzky - Infrastructure & AutomationHugo -- gohugo.ioenThu, 19 Mar 2026 08:00:00 +0100https://ygramitzky.de/posts/ssh-hardening/Thu, 19 Mar 2026 08:00:00 +0100https://ygramitzky.de/posts/ssh-hardening/<h2 id="why-harden-ssh">Why Harden SSH?</h2> <p>SSH (Secure Shell) is the backbone of remote server administration. It encrypts traffic and provides authenticated access — but out of the box, most SSH daemons ship with settings optimized for compatibility, not security.</p> <p>A default SSH setup is vulnerable to:</p> <ul> <li><strong>Brute-force and credential stuffing attacks</strong> — automated bots hammer port 22 around the clock</li> <li><strong>Weak cipher suites</strong> — legacy algorithms like MD5 and arcfour can be exploited</li> <li><strong>Root login exposure</strong> — a compromised root session means total system takeover</li> <li><strong>Password-based auth</strong> — passwords can be guessed, leaked, or phished</li> <li><strong>Idle session hijacking</strong> — abandoned sessions left open are an open door</li> </ul> <p>Hardening SSH is one of the highest-ROI security measures you can take. It reduces your attack surface dramatically with minimal operational overhead.</p>