SSH

SSH creates an encrypted channel between your terminal and a remote device, letting you run commands, transfer files, and manage configuration as if you were physically at the console — but over any network, securely.

Authentication methods

Password authentication — a username and password, transmitted over the encrypted channel. Fine for convenience, weak for security — susceptible to brute-force attacks.

Key-based authentication — the more secure and preferred method. You generate a key pair: the private key stays on your machine, the public key is placed on the server. Authentication proves possession of the private key without ever transmitting it. Key-based auth is immune to password brute-forcing and is the right approach for any server exposed to the internet.

Key hardening steps

• Disable root login over SSH. Log in as a regular user and use sudo if needed.
• Disable password authentication once key-based auth is working.
• Change the default port from 22 if desired — reduces automated scan noise, though it's not a real security control.
• Restrict access by IP where possible — whitelist the IPs that should have SSH access.

SSH tunneling is also worth knowing: SSH can forward arbitrary TCP ports through an encrypted tunnel, providing a lightweight VPN-like capability for specific services without a full VPN setup.