SSH Keys, VPS Security & Server Hardening

Your server is on the internet 24/7. Here's how to make sure only you can get in.

The Simple Version

Imagine you rent a small office in a building downtown. It's yours, but it's in a shared building — anyone can walk up to the door. You need a lock.

A password is like a combination lock. Anyone who guesses the right numbers can get in. And people are trying — thousands of times a day, automatically.

An SSH key is more like a special two-part key system. You have a private key that never leaves your pocket, and a matching lock (the public key) installed on your office door. Only your key opens that lock. Nobody can guess it, copy it, or brute-force it.

🔢

Password

Avg crack time: ~2 hours

Can be guessed: Yes

Can be phished: Yes

🔐

SSH Key (Ed25519)

Crack time: Heat death of universe

Can be guessed: No

Can be phished: No

A VPS (Virtual Private Server) is that rented office. It's a computer sitting in a data center somewhere — always on, always connected. And because it's always online, people are constantly rattling the doorknob.

Server hardening is everything you do beyond just having a good lock: removing the doorbell so strangers can't ring it, boarding up windows you don't use, and telling building security to only let in people who show the right key — no exceptions.

How SSH Key Authentication Works — click each step

Your Mac

ssh my-server

SSH reads ~/.ssh/config, finds the host alias, resolves to your server's IP and connects as root.

Keychain

Passphrase unlocked automatically

macOS Keychain decrypts your private key using the stored passphrase. No typing needed — it's locked behind your Mac login.

Network

Challenge-response handshake

Server sends a random challenge. Your private key signs it. The server verifies the signature using the public key. The private key never leaves your machine — it just proves it exists.

Server

Access granted

Signature checks out. You're in. No password was ever transmitted over the network.

How It Actually Works

SSH Keys: The Math Behind the Magic

When you run ssh-keygen, your computer creates two files:

Private key (~/.ssh/id_ed25519) — stays on your machine, never shared. This is your actual key.
Public key (~/.ssh/id_ed25519.pub) — gets copied to every server you want to access. This is the lock.

When you connect, the server sends a challenge that only your private key can answer. The private key never travels over the network — it just proves it exists. The algorithm (Ed25519) is based on elliptic curve cryptography, and cracking it would take longer than the age of the universe.

You protect the private key with a passphrase — a password that encrypts the key file itself. On macOS, you store this in Keychain so you don't type it every time.

Three Layers of Protection — click to explore

🔑

Private Key File

~/.ssh/id_ed25519

The actual cryptographic key. 256-bit Ed25519. Lives only on your disk. If someone steals this file, they still need the passphrase to use it.

🔒

Passphrase

Encrypts the key file

A password that encrypts the private key at rest. Without it, the key file is useless gibberish. Choose something long and memorable — it's your last line of defense.

🍎

macOS Keychain

Stores passphrase securely

Apple's encrypted credential store. Locked behind your Mac login password and the Secure Enclave chip. Unlocks the passphrase automatically so you don't type it every time.

Your SSH Config: Shortcuts

Instead of typing ssh root@203.0.113.10 every time, set up ~/.ssh/config:

Host my-server
  HostName 203.0.113.10
  User root

Host *
  UseKeychain yes
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_ed25519

Now ssh my-server does the same thing. The wildcard Host * block applies your key and Keychain settings to all connections.

Server Hardening: Locking Down the Doors

Once your key is in place, harden the server by editing /etc/ssh/sshd_config:

# Block all password login attempts
PasswordAuthentication no

# Root can only log in with a key
PermitRootLogin without-password

Then restart SSH:

systemctl restart ssh

Watch for override files. Cloud providers drop configs into /etc/ssh/sshd_config.d/ that can silently re-enable password auth. Always check:

grep -r 'PasswordAuthentication' /etc/ssh/sshd_config.d/

What Happens When Attackers Try

$ ssh root@your-server (password: admin123)

Permission denied (publickey).

$ ssh root@your-server (password: root)

Permission denied (publickey).

$ ssh root@your-server (password: P@ssw0rd!)

Permission denied (publickey).

Server doesn't even accept passwords.

They can try forever. It won't matter.

Hardening Checklist — click to check off

○

PasswordAuthentication no
Blocks all brute-force attacks

○

PermitRootLogin without-password
Root via key only

○

Check sshd_config.d/
Cloud-init can override your settings

○

Restart SSH after changes
systemctl restart ssh

Key Takeaways

SSH keys beat passwords — they can't be guessed, phished, or brute-forced
Private key + passphrase + Keychain = three layers of protection
Disable password auth on every server — it's the #1 hardening step
Check for cloud-init overrides in /etc/ssh/sshd_config.d/
SSH config aliases save time without reducing security