SSH is the front door to your VPS. Beyond using keys, a few extra settings in /etc/ssh/sshd_config tighten it further.

The essentials

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30

Limit who can log in

AllowUsers deploy admin

Only listed users can connect — a simple, powerful restriction.

Consider a non-default port

Moving SSH off port 22 (e.g. to 2222) won't stop a determined attacker but dramatically cuts automated scan noise in your logs. Remember to open the new port in your firewall first.

Modern ciphers

Prefer strong key exchange and ciphers, and disable weak legacy algorithms. Use Ed25519 keys, which are modern and fast.

Apply changes safely

sudo sshd -t                 # test config
sudo systemctl reload ssh

Keep an existing session open while you test, so a mistake never locks you out. Layered with fail2ban and a firewall, your SSH is now very hard to attack.