
SSH (Secure Shell) is one of the most important tools for Linux system administrators and developers, as it allows you to securely log in to remote machines, run command-line programs, manage files, transfer data, forward ports, and even run GUI apps remotely.
But here’s the catch → using SSH with default settings isn’t always safe, because hackers constantly scan the internet for open SSH ports and weak logins. That’s why learning how to properly configure and secure SSH is a must.
In this guide, we’ll cover essential SSH configurations and security tips every Linux beginner should know to keep their servers secure, efficient, and running smoothly.
1. How to Change the Default SSH Port Number
By default, SSH listens on port 22
, which makes it a common target for automated bot attacks. One simple way to reduce such attacks is by changing SSH to a non-standard port.
To do this, open the SSH configuration file with a text editor:
sudo nano /etc/ssh/sshd_config
Look for the line that says:
#Port 22
Uncomment it (remove the #
) and change it to a custom port number, for example:
Port 2200
After saving the file, restart the SSH service to apply the changes:
sudo systemctl restart sshd
Important: Don’t forget to update your firewall rules to allow traffic on the new port.
------------------ On FirewallD ------------------ sudo firewall-cmd --permanent --zone=public --add-port=2200/tcp sudo firewall-cmd --reload ------------------ On UFW ------------------ sudo ufw allow 2200/tcp
2. How to Disable Root SSH Login
Allowing direct root login over SSH is risky because it gives attackers a single target for brute-force attacks. A safer approach is to log in as a normal user and then use sudo
for administrative tasks.
To disable root login, find the following line in your SSH configuration file.
PermitRootLogin yes
and change it to:
PermitRootLogin no
Save the file and restart the SSH service to apply the change:
sudo systemctl restart sshd
3. How to Log in to a Linux Server Without an SSH Password
Password-based SSH logins can be convenient but are less secure and can be cumbersome for repeated access.
A safer and more efficient approach is SSH key-based authentication, which allows you to log in without entering a password.
First, generate a pair of SSH keys on your local machine:
ssh-keygen -t rsa -b 4096
Next, copy your public key to the remote server:
ssh-copy-id user@remote-server
Once the key is installed, you can log in to the server without a password:
ssh user@remote-server
4. How to Allow Only Specific Users to SSH on Linux
To improve SSH security, you can restrict access so that only certain users or groups can log in, which is useful for preventing unauthorized accounts from attempting SSH connections.
To allow specific users, add the following line to your SSH configuration file.
AllowUsers alice bob
Or, to allow entire groups, use:
AllowGroups admins devops
After making these changes, restart the SSH service:
sudo systemctl restart sshd
From now on, only the specified users (alice
and bob
) or groups (admins
and devops
) will be able to log in via SSH, helping to tighten server security.
5. How to Show a Welcome or Warning Message on SSH Login
Displaying a message when users log in via SSH can be useful for welcoming users or showing legal/security warnings.
One simple option is to edit the Message of the Day (MOTD) file:
sudo nano /etc/motd
For a more formal or legal warning, you can create a banner in /etc/issue.net
:
sudo nano /etc/issue.net
Then, tell SSH to display this banner by adding or editing the following line in the SSH configuration file:
Banner /etc/issue.net
Finally, restart the SSH service to apply the changes:
sudo systemctl restart sshd
Now, whenever someone logs in via SSH, they will see your custom welcome or warning message.
6. How to Trace Failed SSH Login Attempts
Monitoring failed SSH login attempts is essential for detecting unauthorized access attempts and improving server security.
On Debian-based distributions, you can check the logs with:
sudo grep "Failed password" /var/log/auth.log
On RHEL-based distributions, use:
sudo grep "Failed password" /var/log/secure
For real-time monitoring of SSH login activity, you can use the journalctl command:
sudo journalctl -u sshd -f
7. How to Restrict SSH Access by IP Address in Linux
Restricting SSH access to specific IP addresses adds an extra layer of security by allowing only trusted machines to connect.
You can configure this directly in the SSH configuration file by specifying a user and their allowed IP address:
AllowUsers [email protected]
Alternatively, you can enforce IP restrictions at the firewall level. For example, with UFW, allow access only from a specific IP address to port 22
:
------------------ On FirewallD ------------------ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept' sudo firewall-cmd --reload ------------------ On UFW ------------------ sudo ufw allow from 192.168.1.100 to any port 22
8. How to Set Idle Timeout for SSH Sessions
Idle SSH sessions can pose a security risk if a user forgets to log out, leaving the connection open for potential misuse.
You can automatically disconnect inactive sessions by setting an idle timeout in the SSH configuration file.
ClientAliveInterval 300 ClientAliveCountMax 0
ClientAliveInterval 300
→ Sends a “keep-alive” message every 300 seconds (5 minutes).ClientAliveCountMax 0
→ Disconnects the session if no response is received.
With these settings, any idle SSH session will automatically terminate after 5 minutes, reducing the risk of unattended open sessions.
9. How to Enable Two-Factor Authentication (2FA) for SSH Login
Adding two-factor authentication (2FA) to SSH significantly increases security by requiring a second verification step in addition to your password.
On Debian/Ubuntu systems, you can use Google Authenticator.
sudo apt install libpam-google-authenticator
Then, set up 2FA for your user account by running:
google-authenticator
Next, enable the PAM module for SSH by editing:
sudo nano /etc/pam.d/sshd
Add the following line:
auth required pam_google_authenticator.so
Finally, allow challenge-response authentication in the SSH configuration file:
ChallengeResponseAuthentication yes
Restart the SSH service to apply the changes:
sudo systemctl restart sshd
Now, each SSH login will require both your password and a time-based verification code, greatly improving your server’s security.
10. How to Limit SSH Connections with Fail2ban
Fail2ban is a powerful tool that helps protect your server from brute-force attacks by temporarily banning IP addresses that fail login attempts multiple times.
To set it up, first install Fail2ban on Debian/Ubuntu systems:
sudo apt install fail2ban
Next, enable the SSH jail by creating or editing the local configuration file:
sudo nano /etc/fail2ban/jail.local
Add the following lines to configure protection for SSH:
[sshd] enabled = true port = ssh maxretry = 3
Finally, restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
With Fail2ban enabled, repeated failed login attempts will automatically trigger temporary bans, greatly reducing the risk of brute-force attacks.
11. How to Configure Key-Based SSH Authentication in Linux
Key-based authentication is a secure method to log in to SSH without using passwords. It relies on a cryptographic key pair, making brute-force attacks nearly impossible.
First, generate a key pair on your local machine using the modern and secure Ed25519 algorithm is recommended:
ssh-keygen -t ed25519
Next, copy your public key to the remote server:
ssh-copy-id user@server
Once key-based authentication is working, you can further improve security by disabling password logins in the SSH configuration file.
PasswordAuthentication no
Restart the SSH service to apply the change:
sudo systemctl restart sshd
After this, only users with the correct private key can log in, providing a strong layer of protection against unauthorized access.
12. How to Allow or Deny SSH Access Using hosts.allow and hosts.deny
Linux provides a simple way to control access to services using TCP wrappers, which rely on the /etc/hosts.allow
and /etc/hosts.deny
files.
First, allow trusted IPs in /etc/hosts.allow
:
sshd: 192.168.1.100
Then, deny all other IPs by editing /etc/hosts.deny
:
sshd: ALL
With this setup, only the IP address 192.168.1.100
can connect via SSH, while all other attempts are blocked.
13. How to Check and Monitor Active SSH Sessions on Linux
Monitoring active SSH sessions helps you keep track of who is logged in and detect any unauthorized access. To see a list of currently logged-in users, you can use simple commands like:
who OR w
If you need to terminate a specific user’s session, you can use pkill
with their username:
sudo pkill -u username
Regularly checking active sessions ensures you have control over who is connected to your server and helps maintain security.
14. How to Set Up SSH Tunneling (Port Forwarding) on Linux
SSH tunneling, or port forwarding, allows you to securely route network traffic from your local machine to a remote server, which is useful for accessing services behind a firewall or encrypting otherwise insecure connections.
For local port forwarding, you can forward a port on your local machine to a port on the remote server.
ssh -L 8080:localhost:80 user@remote-server
8080
→ The local port on your machine.localhost:80
→ The destination on the remote server.user@remote-server
→ Your SSH login credentials.
After running this command, any traffic sent to localhost:8080
on your local machine will be securely forwarded to port 80
on the remote server.
15. How to Enable Verbose Logging for SSH Troubleshooting
When troubleshooting SSH connection issues, detailed logs can help identify the root cause, such as authentication problems or network delays. SSH provides a built-in verbose mode that shows step-by-step information about the connection process.
To enable verbose logging, simply run:
ssh -vvv user@server
- The
-vvv
flag increases the verbosity level, providing comprehensive details about each stage of the SSH connection. - You can also use fewer vs (
-v
or-vv
) for less detailed output.
Verbose mode is invaluable for diagnosing SSH problems, helping you quickly pinpoint configuration errors, network issues, or authentication failures.
16. How to Secure SSH with Strong Ciphers and Protocols
Securing SSH connections involves ensuring that only strong encryption algorithms and protocols are used. By default, SSH supports multiple protocols and ciphers, some of which are outdated and vulnerable.
You can harden your SSH server by explicitly specifying secure options in the configuration file:
Protocol 2 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256 KexAlgorithms [email protected]
- Protocol 2 → Ensures only the secure SSHv2 protocol is used.
- Ciphers → Specifies strong encryption algorithms for data transfer.
- MACs → Sets secure message authentication codes to verify data integrity.
- KexAlgorithms → Chooses secure key exchange algorithms.
After making these changes, restart SSH to apply them:
sudo systemctl restart sshd
17. How to Limit SSH Access to a Specific Port Range
Restricting SSH access to a specific port range adds another layer of security by controlling which ports are allowed for connections, which can help reduce exposure to automated attacks on unused ports.
On systems using UFW (Uncomplicated Firewall), you can allow a range of ports with the following command:
sudo ufw allow 1024:1040/tcp
For FirewallD users, the equivalent would be:
sudo firewall-cmd --permanent --add-port=1024-1040/tcp sudo firewall-cmd --reload
This configuration permits SSH connections only on ports 1024
to 1040
, blocking access on all other ports.
18. How to Change SSH Connection Timeout in Linux
Limiting the time SSH waits for a user to log in helps prevent brute-force attacks and reduces the window for unauthorized access attempts, which can be configured using the LoginGraceTime
setting in the SSH server configuration file.
Add or modify the following line, which will set the maximum time (in seconds) SSH will wait for a successful login before disconnecting.
LoginGraceTime 30
After saving the file, restart the SSH service to apply the change:
sudo systemctl restart sshd
19. How to Enable SSH Compression for Faster Connections
Enabling compression in SSH can improve connection speed, especially when transferring large amounts of data over slower networks. SSH can compress data before sending it, reducing the amount of traffic sent over the network.
To use compression on a per-connection basis, simply add the -C
flag when connecting:
ssh -C user@server
For a permanent solution, you can enable compression in the SSH client configuration file.
Compression yes
Once enabled, SSH will automatically compress data for all connections, making transfers faster while still maintaining encryption and security.
20. How to Configure SSH Aliases for Easier Access
Managing multiple SSH connections can be cumbersome if you have to remember IP addresses, ports, and usernames for each server. Using SSH aliases simplifies this process by allowing you to create shortcuts for frequently accessed servers.
To set up an alias, edit your SSH client configuration file and add an entry like this:
Host myserver HostName 192.168.1.50 User alice Port 2200
After saving the file, you can connect simply by running:
ssh myserver
21. How to Forward GUI Applications Over SSH (X11 Forwarding)
SSH can do more than just command-line access; it can also forward graphical applications from a remote server to your local machine using X11 forwarding, which allows you to run GUI apps on the server as if they were running locally.
To enable X11 forwarding, connect with the -X
option:
ssh -X user@server
Once connected, you can launch GUI applications, such as:
gedit
The application’s window will appear on your local machine, while all processing happens on the remote server.
Tip: Ensure X11 forwarding is allowed in the SSH server configuration file.
X11Forwarding yes
Final Thoughts
SSH is an essential tool for anyone managing Linux servers, and using it correctly can make your work both easier and more secure.
By following the tips in this guide, you can protect your servers from unauthorized access, simplify your logins with key-based authentication and aliases, and monitor activity with tools like fail2ban and session timeouts.
Start with the basics, such as changing the default port, disabling root login, and setting up key-based login, and then gradually explore advanced features like two-factor authentication, SSH tunneling, and verbose logging.
Mastering these practices will help you manage servers efficiently, stay safe from attacks, and work like a confident Linux administrator.