Use a normal user for administration and keep sudo access tight.
sudo adduser admin
sudo usermod -aG sudo admin
getent group sudo
Review sudo rules:
sudo visudo
ls -la /etc/sudoers.d
Edit /etc/ssh/sshd_config and prefer key-based auth.
Example baseline (adjust to your environment):
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
X11Forwarding no
AllowTcpForwarding no
MaxAuthTries 3
LoginGraceTime 30
ClientAliveInterval 300
ClientAliveCountMax 2
Validate and reload:
sudo sshd -t
sudo systemctl reload ssh
Notes:
ssh.sudo apt install fail2ban
sudo systemctl enable --now fail2ban
Minimal jail override for SSH:
Create /etc/fail2ban/jail.d/sshd.local:
[sshd]
enabled = true
maxretry = 5
findtime = 10m
bantime = 1h
Apply:
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd
If you need 2FA, prefer doing it only after SSH keys are stable and you have console access in case you lock yourself out.
sudo apt install libpam-google-authenticator
google-authenticator
One common pattern is to require publickey plus keyboard-interactive:
sshd_config: enable keyboard-interactive and set AuthenticationMethods./etc/pam.d/sshd: add pam_google_authenticator.so.Because 2FA setups differ widely (users, automation, break-glass access), validate this change on a non-production host first.