What you will set up
By the end, you will log in to your offshore VPS with an SSH key instead of a password — with password login and root login switched off, so random bots can no longer guess their way in.
Do one step at a time. Finish a step, check it works, then move on. The golden rule for SSH: keep your current terminal open until you have tested a brand-new login in a second window. That one habit stops you from locking yourself out.
Before you start
The goal: swap weak password logins for SSH keys, then close the doors attackers love — password authentication and direct root login.
Take a snapshot first. If your panel allows it, create a server snapshot before you touch the SSH settings. That way, if something goes wrong, you can roll back in a minute.
- Keep your VPS provider panel login ready — most offer a web console that works even when SSH is down.
- Keep your server IP and your normal username ready.
- Open a notes file and write down every change you make.
- Most important: keep your current SSH session open the whole time. Only close it after a fresh login works in a second terminal.
Where does each change happen?
SSH hardening has two sides — your computer and the server. Here is the simple rule:
- Creating the key pair → on your own computer.
- Copying the public key → sent from your computer to the server.
- SSH settings (the rules) → the file
/etc/ssh/sshd_configon the server. - Emergency access if SSH breaks → the web console in your VPS provider panel.
The steps
Step 1: Create a key pair and copy it to the server
An SSH key is like a special lock and key. The private key stays on your computer; the public key goes on the server. Run both commands on your own computer. When ssh-keygen asks for a file location, press Enter to accept the default.
ssh-keygen -t ed25519
ssh-copy-id youruser@your-server-ipCheck: after ssh-copy-id, try ssh youruser@your-server-ip. It should log you in without asking for a password.
Step 2: Turn off password and root login
Now that key login works, close the easy doors. On the server, open the SSH config file with an editor (for example nano /etc/ssh/sshd_config) and set these two lines. If a line already exists with a # in front, remove the # and change the value.
PasswordAuthentication no
PermitRootLogin noCheck: save the file. Both lines should be present, with no # at the start.
Step 3 (optional): Change the SSH port
Moving SSH off port 22 hides it from most automated bots. In the same /etc/ssh/sshd_config file, set a custom port. Before you restart SSH, open that port in your firewall, or you will lock yourself out.
Port 2222Check: the new Port line is saved, and the same port is allowed in your firewall (see the extra commands below).
Step 4: Restart SSH and test a fresh login
Apply the changes by restarting the SSH service. Do not close your current terminal. Restart, then open a brand-new terminal window and log in there. Only when the new login works should you close the old session.
systemctl restart sshCheck: in a second terminal, run ssh youruser@your-server-ip (add -p 2222 if you changed the port). It should log in with your key, and refuse any password attempt.
Extra commands you may need
Run these only on your own server. If your server uses a managed panel, check with support before changing system-level settings.
Open the new port in the firewall
If you changed the port in Step 3, allow it before restarting SSH. This example is for UFW on Ubuntu/Debian.
ufw allow 2222/tcp
ufw reloadConfirm which port SSH is listening on
ss -tulpn | grep sshThe output shows the exact port SSH is using right now — handy after a port change.
See recent login attempts
tail -n 50 /var/log/auth.logThis shows who tried to log in and whether it worked — useful for spotting failed key logins or blocked bots.
Keep short notes as you go
While you work, jot down each change: the old value, the new value, the time, and whether the test passed. For example: “PasswordAuthentication set to no at 10:30, key login from second terminal works.” It sounds small, but it saves a lot of confusion if something breaks.
If you run server commands, paste the output into your notes too. Then if you ask support for help, you can show the exact command, the exact error, and the exact time.
If a step fails, how to undo it
Always have a way back. If you get locked out of SSH, open the web console in your VPS panel — it does not use SSH — and edit /etc/ssh/sshd_config to set PasswordAuthentication yes again, then restart SSH. If you changed the port and cannot connect, re-open the old port in the firewall. Don’t change ten things at once.
How to test after setup
- Open a new terminal (keep the old one open) and log in with your key.
- Add the port flag if you changed it:
ssh -p 2222 youruser@your-server-ip. - Try logging in as
root— it should be refused. - Try forcing a password login — it should also be refused.
- Run
ss -tulpn | grep sshto confirm the listening port. - Check
tail -n 50 /var/log/auth.logfor clean, successful logins.
Quick troubleshooting
| Problem | Likely reason | What to do |
|---|---|---|
| Locked out of SSH | Settings applied before testing | Use the VPS panel web console to fix /etc/ssh/sshd_config, then restart SSH |
| Key not accepted | Wrong user, or ~/.ssh permissions |
Use the correct username and check the key was copied; fix ~/.ssh permissions |
| Can’t connect after port change | New port blocked by firewall | Open the new port (e.g. ufw allow 2222/tcp) and connect with -p 2222 |
Final checklist
- SSH key pair created and public key copied to the server.
- Password login turned off.
- Root login turned off.
- New login tested in a second terminal before closing the first.
- Firewall updated if the port was changed.
OffshoreKaka offers privacy-friendly VPS servers with full root access, so you can harden SSH exactly the way you want.
FAQ
Can I follow this without much experience?
Yes — just go slowly and keep your current terminal open until a fresh login works. If you are not comfortable using SSH, ask your provider’s support to set it up, or use managed hosting.
Will hardening SSH improve my Google ranking?
Not directly. Good security keeps your site online and trustworthy, which supports SEO, but your content and backlinks are what actually decide your ranking.
What should I send to support if I get locked out?
Send your server IP, your username, the exact error from your SSH attempt, whether you changed the port, and the last change you made to /etc/ssh/sshd_config.