SSH (Secure Shell) is one of the most important tools for Linux system administrators and developers, as it allows you to securely log in to remote machines, run command-line programs, manage files, transfer data, forward ports, and even run GUI apps remotely.

But here’s the catch → using SSH with default settings isn’t always safe, because hackers constantly scan the internet for open SSH ports and weak logins. That’s why learning how to properly configure and secure SSH is a must.

In this guide, we’ll cover essential SSH configurations and security tips every Linux beginner should know to keep their servers secure, efficient, and running smoothly.

1. How to Change the Default SSH Port Number

By default, SSH listens on port 22, which makes it a common target for automated bot attacks. One simple way to reduce such attacks is by changing SSH to a non-standard port.

To do this, open the SSH configuration file with a text editor:

sudo nano /etc/ssh/sshd_config

Look for the line that says:

#Port 22

Uncomment it (remove the #) and change it to a custom port number, for example:

Port 2200

After saving the file, restart the SSH service to apply the changes:

sudo systemctl restart sshd

Important: Don’t forget to update your firewall rules to allow traffic on the new port.

------------------ On FirewallD ------------------ 
sudo firewall-cmd --permanent --zone=public --add-port=2200/tcp
sudo firewall-cmd --reload

------------------ On UFW ------------------
sudo ufw allow 2200/tcp

2. How to Disable Root SSH Login

Allowing direct root login over SSH is risky because it gives attackers a single target for brute-force attacks. A safer approach is to log in as a normal user and then use sudo for administrative tasks.

To disable root login, find the following line in your SSH configuration file.

PermitRootLogin yes

and change it to:

PermitRootLogin no

Save the file and restart the SSH service to apply the change:

sudo systemctl restart sshd

3. How to Log in to a Linux Server Without an SSH Password

Password-based SSH logins can be convenient but are less secure and can be cumbersome for repeated access.

A safer and more efficient approach is SSH key-based authentication, which allows you to log in without entering a password.

First, generate a pair of SSH keys on your local machine:

ssh-keygen -t rsa -b 4096

Next, copy your public key to the remote server:

ssh-copy-id user@remote-server

Once the key is installed, you can log in to the server without a password:

ssh user@remote-server

4. How to Allow Only Specific Users to SSH on Linux

To improve SSH security, you can restrict access so that only certain users or groups can log in, which is useful for preventing unauthorized accounts from attempting SSH connections.

To allow specific users, add the following line to your SSH configuration file.

AllowUsers alice bob

Or, to allow entire groups, use:

AllowGroups admins devops

After making these changes, restart the SSH service:

sudo systemctl restart sshd

From now on, only the specified users (alice and bob) or groups (admins and devops) will be able to log in via SSH, helping to tighten server security.

5. How to Show a Welcome or Warning Message on SSH Login

Displaying a message when users log in via SSH can be useful for welcoming users or showing legal/security warnings.

One simple option is to edit the Message of the Day (MOTD) file:

sudo nano /etc/motd

For a more formal or legal warning, you can create a banner in /etc/issue.net:

sudo nano /etc/issue.net

Then, tell SSH to display this banner by adding or editing the following line in the SSH configuration file:

Banner /etc/issue.net

Finally, restart the SSH service to apply the changes:

sudo systemctl restart sshd

Now, whenever someone logs in via SSH, they will see your custom welcome or warning message.

6. How to Trace Failed SSH Login Attempts

Monitoring failed SSH login attempts is essential for detecting unauthorized access attempts and improving server security.

On Debian-based distributions, you can check the logs with:

sudo grep "Failed password" /var/log/auth.log

On RHEL-based distributions, use:

sudo grep "Failed password" /var/log/secure

For real-time monitoring of SSH login activity, you can use the journalctl command:

sudo journalctl -u sshd -f

7. How to Restrict SSH Access by IP Address in Linux

Restricting SSH access to specific IP addresses adds an extra layer of security by allowing only trusted machines to connect.

You can configure this directly in the SSH configuration file by specifying a user and their allowed IP address:

AllowUsers [email protected]

Alternatively, you can enforce IP restrictions at the firewall level. For example, with UFW, allow access only from a specific IP address to port 22:

------------------ On FirewallD ------------------ 
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="22" accept'
sudo firewall-cmd --reload

------------------ On UFW ------------------ 
sudo ufw allow from 192.168.1.100 to any port 22

8. How to Set Idle Timeout for SSH Sessions

Idle SSH sessions can pose a security risk if a user forgets to log out, leaving the connection open for potential misuse.

You can automatically disconnect inactive sessions by setting an idle timeout in the SSH configuration file.

ClientAliveInterval 300
ClientAliveCountMax 0
  • ClientAliveInterval 300 → Sends a “keep-alive” message every 300 seconds (5 minutes).
  • ClientAliveCountMax 0 → Disconnects the session if no response is received.

With these settings, any idle SSH session will automatically terminate after 5 minutes, reducing the risk of unattended open sessions.

9. How to Enable Two-Factor Authentication (2FA) for SSH Login

Adding two-factor authentication (2FA) to SSH significantly increases security by requiring a second verification step in addition to your password.

On Debian/Ubuntu systems, you can use Google Authenticator.

sudo apt install libpam-google-authenticator

Then, set up 2FA for your user account by running:

google-authenticator

Next, enable the PAM module for SSH by editing:

sudo nano /etc/pam.d/sshd

Add the following line:

auth required pam_google_authenticator.so

Finally, allow challenge-response authentication in the SSH configuration file:

ChallengeResponseAuthentication yes

Restart the SSH service to apply the changes:

sudo systemctl restart sshd

Now, each SSH login will require both your password and a time-based verification code, greatly improving your server’s security.

10. How to Limit SSH Connections with Fail2ban

Fail2ban is a powerful tool that helps protect your server from brute-force attacks by temporarily banning IP addresses that fail login attempts multiple times.

To set it up, first install Fail2ban on Debian/Ubuntu systems:

sudo apt install fail2ban

Next, enable the SSH jail by creating or editing the local configuration file:

sudo nano /etc/fail2ban/jail.local

Add the following lines to configure protection for SSH:

[sshd]
enabled = true
port = ssh
maxretry = 3

Finally, restart Fail2ban to apply the changes:

sudo systemctl restart fail2ban

With Fail2ban enabled, repeated failed login attempts will automatically trigger temporary bans, greatly reducing the risk of brute-force attacks.

11. How to Configure Key-Based SSH Authentication in Linux

Key-based authentication is a secure method to log in to SSH without using passwords. It relies on a cryptographic key pair, making brute-force attacks nearly impossible.

First, generate a key pair on your local machine using the modern and secure Ed25519 algorithm is recommended:

ssh-keygen -t ed25519

Next, copy your public key to the remote server:

ssh-copy-id user@server

Once key-based authentication is working, you can further improve security by disabling password logins in the SSH configuration file.

PasswordAuthentication no

Restart the SSH service to apply the change:

sudo systemctl restart sshd

After this, only users with the correct private key can log in, providing a strong layer of protection against unauthorized access.

12. How to Allow or Deny SSH Access Using hosts.allow and hosts.deny

Linux provides a simple way to control access to services using TCP wrappers, which rely on the /etc/hosts.allow and /etc/hosts.deny files.

First, allow trusted IPs in /etc/hosts.allow:

sshd: 192.168.1.100

Then, deny all other IPs by editing /etc/hosts.deny:

sshd: ALL

With this setup, only the IP address 192.168.1.100 can connect via SSH, while all other attempts are blocked.

13. How to Check and Monitor Active SSH Sessions on Linux

Monitoring active SSH sessions helps you keep track of who is logged in and detect any unauthorized access. To see a list of currently logged-in users, you can use simple commands like:

who
OR
w

If you need to terminate a specific user’s session, you can use pkill with their username:

sudo pkill -u username

Regularly checking active sessions ensures you have control over who is connected to your server and helps maintain security.

14. How to Set Up SSH Tunneling (Port Forwarding) on Linux

SSH tunneling, or port forwarding, allows you to securely route network traffic from your local machine to a remote server, which is useful for accessing services behind a firewall or encrypting otherwise insecure connections.

For local port forwarding, you can forward a port on your local machine to a port on the remote server.

ssh -L 8080:localhost:80 user@remote-server
  • 8080 → The local port on your machine.
  • localhost:80 → The destination on the remote server.
  • user@remote-server → Your SSH login credentials.

After running this command, any traffic sent to localhost:8080 on your local machine will be securely forwarded to port 80 on the remote server.

15. How to Enable Verbose Logging for SSH Troubleshooting

When troubleshooting SSH connection issues, detailed logs can help identify the root cause, such as authentication problems or network delays. SSH provides a built-in verbose mode that shows step-by-step information about the connection process.

To enable verbose logging, simply run:

ssh -vvv user@server
  • The -vvv flag increases the verbosity level, providing comprehensive details about each stage of the SSH connection.
  • You can also use fewer vs (-v or -vv) for less detailed output.

Verbose mode is invaluable for diagnosing SSH problems, helping you quickly pinpoint configuration errors, network issues, or authentication failures.

16. How to Secure SSH with Strong Ciphers and Protocols

Securing SSH connections involves ensuring that only strong encryption algorithms and protocols are used. By default, SSH supports multiple protocols and ciphers, some of which are outdated and vulnerable.

You can harden your SSH server by explicitly specifying secure options in the configuration file:

Protocol 2
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms [email protected]
  • Protocol 2 → Ensures only the secure SSHv2 protocol is used.
  • Ciphers → Specifies strong encryption algorithms for data transfer.
  • MACs → Sets secure message authentication codes to verify data integrity.
  • KexAlgorithms → Chooses secure key exchange algorithms.

After making these changes, restart SSH to apply them:

sudo systemctl restart sshd

17. How to Limit SSH Access to a Specific Port Range

Restricting SSH access to a specific port range adds another layer of security by controlling which ports are allowed for connections, which can help reduce exposure to automated attacks on unused ports.

On systems using UFW (Uncomplicated Firewall), you can allow a range of ports with the following command:

sudo ufw allow 1024:1040/tcp

For FirewallD users, the equivalent would be:

sudo firewall-cmd --permanent --add-port=1024-1040/tcp
sudo firewall-cmd --reload

This configuration permits SSH connections only on ports 1024 to 1040, blocking access on all other ports.

18. How to Change SSH Connection Timeout in Linux

Limiting the time SSH waits for a user to log in helps prevent brute-force attacks and reduces the window for unauthorized access attempts, which can be configured using the LoginGraceTime setting in the SSH server configuration file.

Add or modify the following line, which will set the maximum time (in seconds) SSH will wait for a successful login before disconnecting.

LoginGraceTime 30

After saving the file, restart the SSH service to apply the change:

sudo systemctl restart sshd

19. How to Enable SSH Compression for Faster Connections

Enabling compression in SSH can improve connection speed, especially when transferring large amounts of data over slower networks. SSH can compress data before sending it, reducing the amount of traffic sent over the network.

To use compression on a per-connection basis, simply add the -C flag when connecting:

ssh -C user@server

For a permanent solution, you can enable compression in the SSH client configuration file.

Compression yes

Once enabled, SSH will automatically compress data for all connections, making transfers faster while still maintaining encryption and security.

20. How to Configure SSH Aliases for Easier Access

Managing multiple SSH connections can be cumbersome if you have to remember IP addresses, ports, and usernames for each server. Using SSH aliases simplifies this process by allowing you to create shortcuts for frequently accessed servers.

To set up an alias, edit your SSH client configuration file and add an entry like this:

Host myserver
  HostName 192.168.1.50
  User alice
  Port 2200

After saving the file, you can connect simply by running:

ssh myserver

21. How to Forward GUI Applications Over SSH (X11 Forwarding)

SSH can do more than just command-line access; it can also forward graphical applications from a remote server to your local machine using X11 forwarding, which allows you to run GUI apps on the server as if they were running locally.

To enable X11 forwarding, connect with the -X option:

ssh -X user@server

Once connected, you can launch GUI applications, such as:

gedit

The application’s window will appear on your local machine, while all processing happens on the remote server.

Tip: Ensure X11 forwarding is allowed in the SSH server configuration file.

X11Forwarding yes
Final Thoughts

SSH is an essential tool for anyone managing Linux servers, and using it correctly can make your work both easier and more secure.

By following the tips in this guide, you can protect your servers from unauthorized access, simplify your logins with key-based authentication and aliases, and monitor activity with tools like fail2ban and session timeouts.

Start with the basics, such as changing the default port, disabling root login, and setting up key-based login, and then gradually explore advanced features like two-factor authentication, SSH tunneling, and verbose logging.

Mastering these practices will help you manage servers efficiently, stay safe from attacks, and work like a confident Linux administrator.

Similar Posts