Cloudflare Zero Trust + Tunnel
This guide configures SSH access through Cloudflare Zero Trust and cloudflared so your server does not expose public SSH on 22/tcp.
Create New User Sudo
Creating a dedicated, non-root administrator account and granting it sudo privileges is a standard Linux hardening step. It reduces reliance on the root account, improves accountability (actions are attributable to a specific user), and supports safer day-to-day operations by requiring explicit privilege elevation.
SSH Key login only
SSH key login only means configuring OpenSSH so that users can authenticate using public key cryptography and cannot authenticate using passwords or interactive challenge methods. This is one of the most effective SSH hardening steps because it removes an entire class of brute-force and credential-stuffing attacks against password authentication.
Disable Root SSH Login
Disabling direct SSH login for the root account forces administrators to authenticate as an unprivileged user first and then elevate privileges with sudo. This reduces the impact of brute-force attempts, improves auditability, and lowers the chance of catastrophic mistakes during routine operations.
Change SSH Port
Changing the SSH port moves the SSH daemon (sshd) from the default TCP port 22 to a different port (for example 2581 or 2222). This reduces background noise from automated scanners and brute-force attempts that primarily target port 22, while keeping SSH available for legitimate administration.
SSH Login Notification
SSH login notifications add a real-time signal to your server security posture: when a successful SSH session opens, the server sends an alert containing the account name, source IP, hostname, and timestamp. This helps with rapid detection of unexpected access, auditing of legitimate admin activity, and faster incident response.