How to Securely Access My Server with SSH and RDP

Comprehensive guide to securing remote access protocols (SSH for Linux, RDP for Windows) against brute-force attacks and unauthorized access.

General Security Principles

  1. Least Privilege: Only allow access to users who need it.
  2. Reduce Attack Surface: Don't expose ports to the entire internet if not necessary.
  3. Strong Authentication: Use Keys/Certificates instead of passwords.
  4. Monitoring: Use tools like Fail2Ban.

Securing SSH (Linux)

1. Disable Root Login

Never allow direct root login.

Edit /etc/ssh/sshd_config:

PermitRootLogin no

2. Use SSH Keys (Disable Passwords)

Password authentication is vulnerable to brute force.

Generate Key (On Client):

ssh-keygen -t ed25519

Copy Key to Server:

ssh-copy-id user@server_ip

Disable Password Auth (On Server): Edit /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes

3. Change Default Port (Obfuscation)

Change port 22 to something else (e.g., 2222) to avoid mass scanners.

Edit /etc/ssh/sshd_config:

Port 2222

Don't forget to update your firewall (UFW/IPTables)!

4. Install Fail2Ban

Automatically bans IPs that fail login multiple times.

sudo apt install fail2ban

(See full Fail2Ban manual for configuration).

Securing RDP (Windows)

RDP (Port 3389) is a massive target for ransomware. Never expose standard RDP directly to the internet.

1. Use a VPN (Best Method)

Instead of opening port 3389:

  1. Set up a VPN Server (WireGuard, OpenVPN, or Tailscale).
  2. Connect to VPN.
  3. RDP to the local IP (e.g., 192.168.1.50).

Why? VPNs are much harder to hack than RDP login screens.

2. SSH Tunneling (Alternative to VPN)

If you have an SSH server on the network:

  1. Create SSH Tunnel (Client):

    ssh -L 33389:192.168.1.50:3389 user@ssh_server

  2. Connect RDP to localhost:33389.

3. Network Level Authentication (NLA)

Ensure NLA is enabled. This requires authentication before the session starts.

  1. System Properties > Remote.
  2. Check "Allow connections only from computers running Remote Desktop with Network Level Authentication".

4. IP Allow-Listing (Firewall)

If you MUST expose RDP, restrict to specific source IPs.

  1. Windows Defender Firewall > Advanced Settings.
  2. Inbound Rules > Remote Desktop - User Mode (TCP-In).
  3. Properties > Scope > Remote IP Address.
  4. Add only your office/home static IP.

5. RDPGuard / IPBan

Install software similar to Fail2Ban for Windows to block brute-force attempts.

User
Documentation
icon 🔒 Website Security Guide icon Online Docs icon Antigravity AI Guide icon Manuals
Software & Dev
icon Tools & Utilities icon Compile icon API Docs
GitHub
icon Bashouse icon ToolBox
System
icon About icon Settings icon Links icon SEO Metrics icon Best Buy Guide
Social
icon Facebook icon LinkedIn icon GitHub icon YouTube
Leisure
icon Hearthstone icon Snake
© 2025 ComputerBas