Important Safety Note:
Always test your SSH configuration changes thoroughly before disabling password authentication. Have console access ready. A single mistake can lock you out of the server.
Lock down your remote connections and stop brute-force attacks.
Arch Linux
What is SSH?
SSH, which stands for Secure Shell, is a popular network protocol that allows system administrators to safely manage and control Linux servers from a remote location. You can think of it as a secure, private tunnel built over a public, unsecured network like the internet. When you use SSH, you do not have to be physically located near the server to perform maintenance, install software, or fix issues.
The system relies on a "client-server" architecture to work. This means that an SSH server program runs on the remote machine you want to manage, while you use an SSH client program on your own computer to make the connection. Once connected, any text commands you type into your personal computer are instantly sent through the tunnel and executed directly on the remote server.
What makes SSH so important is its built-in security features. Unlike older communication methods that send data in plain, readable text, SSH automatically encrypts all the traffic passing between your computer and the server. This means that your login sessions, passwords, and all other data are scrambled into secret codes, protecting your sensitive information from hackers or anyone trying to spy on your network.
Prerequisites
- A running Arch Linux server with internet access.
- Root or sudo privileges.
- A regular (non-root) user account for daily use (strongly recommended — never log in as root for normal operations).
- Basic command-line knowledge.
- Console access (via VPS panel, physical console, or out-of-band access) as a backup in case of lockout.
1
Update the System and Optimize Mirrors (Recommended)
Arch Linux mirrors can sometimes be slow or slightly outdated. Use Reflector to automatically select fast, up-to-date mirrors based on your location.
BASH
sudo pacman -Syu reflector # Install reflector and fully update the system
Generate a fresh mirrorlist (optimized for USA):
BASH
sudo reflector --country "United States" --protocol https --latest 12 --sort rate --save /etc/pacman.d/mirrorlist
Refresh the package database:
BASH
sudo pacman -Syu
(Optional but recommended) Enable automatic weekly mirror updates:
BASH
sudo systemctl enable --now reflector.timer
2
Install and Enable OpenSSH
BASH
sudo pacman -S openssh sudo systemctl enable --now sshd
Check the service status:
BASH
systemctl status sshd
3
Create a Dedicated SSH Group (Recommended)
This is cleaner and more maintainable than
AllowUsers.
BASH
sudo groupadd -r sshusers sudo usermod -aG sshusers yourusername # Replace "yourusername" with your actual username
4
Configure Hardened SSH Settings
Modern OpenSSH on Arch supports clean drop-in configuration files in
/etc/ssh/sshd_config.d/. This method survives package updates.
Create the hardening file:
BASH
sudo nano /etc/ssh/sshd_config.d/99-hardening.conf
Paste the following content (adjust
Port and AllowGroups as needed):
BASH
# Hardened SSH configuration - Arch Linux best practices (2026) # Change default port (optional but reduces automated scanning noise) Port 2222 # Disable root login completely PermitRootLogin no # Restrict login to members of this group only AllowGroups sshusers # Enable key-based authentication PubkeyAuthentication yes # Disable password authentication (enable only after testing keys!) PasswordAuthentication no # Additional hardening options PermitEmptyPasswords no MaxAuthTries 3 LoginGraceTime 20 ClientAliveInterval 300 ClientAliveCountMax 2 # Optional: Explicitly limit accepted key types (modern best practice) PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
Save and exit (
Ctrl+O , Enter , Ctrl+X in nano).
Test the configuration (very important!):
BASH
sudo sshd -t
If no errors are shown, restart the SSH service:
BASH
sudo systemctl restart sshd
5
Set Up SSH Key-Based Authentication (From Your Client Machine)
Do this step while you can still log in with a password.
On your local/client machine (laptop or desktop):
Generate a strong Ed25519 key (recommended in 2026):
BASH
ssh-keygen -t ed25519 -C "your-email@example.com"
Use a strong passphrase when prompted.
Copy the public key to the server (replace values accordingly):
BASH
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 yourusername@your-server-ip
If
ssh-copy-id is not available, use this manual method:
BASH
cat ~/.ssh/id_ed25519.pub | ssh -p 2222 yourusername@your-server-ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"
Test key-based login from your client:
BASH
ssh -p 2222 yourusername@your-server-ip
It should connect without asking for a password (only your key passphrase if you set one).
6
Disable Password Authentication (After Successful Key Test)
Once key login works reliably from your client, password authentication can be safely disabled (it is already set to
no in the config file above).
Restart the service again to apply any final changes:
BASH
sudo systemctl restart sshd
Additional Strong Recommendations
Firewall (restrict SSH access):
UFW is simple and works well on Arch. Install and configure it to allow only your IP (or trusted range):
BASH
sudo pacman -S ufw sudo ufw allow from YOUR_CLIENT_IP to any port 2222 proto tcp sudo ufw enable sudo ufw status verbose
Fail2Ban (extra brute-force protection):
BASH
sudo pacman -S fail2ban sudo systemctl enable --now fail2ban
Create a basic jail configuration if needed:
sudo nano /etc/fail2ban/jail.local and add an [sshd] section (see Fail2Ban documentation for details).
Other useful options (add to
99-hardening.conf if desired):
Banner /etc/issue.net(for a legal warning banner)AllowTcpForwarding no(disable if you don't need port forwarding)X11Forwarding no
Verification Commands
BASH
ss -tlnp | grep sshd
BASH
sudo sshd -T | grep -E 'port|permitrootlogin|passwordauthentication|pubkeyauthentication|allowgroups'
BASH
journalctl -u sshd -f
CTCservers Recommended Tutorials
Web, Network
Step-by-Step Guide: Install AMD ROCm on Ubuntu with RX 6600 GPU
Learn how to quickly and easily set up AMD ROCm on Ubuntu for your RX 6600 GPU, enabling powerful machine learning, AI workloads, and GPU-accelerated computing right on your system.
Web, Network, Linux, Mysql, Ubuntu
LAMP Setup Guide 2026: Ubuntu & Debian | CTCservers
Install a secure LAMP stack on Debian or Ubuntu. Follow our step-by-step guide to configure Linux, Apache, MySQL, and PHP for your web server.
Web, Network, Ubuntu
Deploy Phi-3 with Ollama on Ubuntu GPU | CTCservers
Learn how to easily deploy the Phi-3 LLM on an Ubuntu 24.04 GPU server using Ollama and WebUI. Follow our step-by-step tutorial for seamless AI hosting.
Discover CTCservers Dedicated Server Locations
CTCservers servers are available around the world, providing diverse options for hosting websites. Each region offers unique advantages, making it easier to choose a location that best suits your specific hosting needs.