# Secure Shell (SSH) SSH (Secure Shell) is a cryptographic network protocol for secure remote access to systems over untrusted networks. It replaced insecure protocols like Telnet and rsh by encrypting all traffic, authenticating both server and client, and protecting against eavesdropping and man-in-the-middle attacks. OpenSSH is the dominant implementation, installed by default on virtually every Linux server. Authentication can use passwords or, preferably, key pairs. With key-based authentication, you generate a public/private keypair, place the public key on the server, and authenticate by proving possession of the private key—no password transmitted. This is both more secure and more convenient. Best practices include disabling password authentication entirely, disabling root login, and using tools like [[Fail2Ban]] to block brute-force attempts. Beyond remote shells, SSH enables secure file transfer ([[Secure Copy Protocol (SCP)]], SFTP), port forwarding (tunneling traffic through encrypted connections), and jump hosts (proxying through intermediate servers). It's the foundation of secure server administration and a building block for tools like Git (SSH transport), Ansible, and rsync. For [[Self-hosting]], hardening SSH is the first line of defense. ## Related - [[Fail2Ban]] - [[Self-hosting]] - [[Linux]] - [[Zero Trust Security]] - [[OpenSSH]] - [[Termius]] - [[Secure Copy Protocol (SCP)]] ## References - https://www.openssh.com/