Configuring Linux to allow SSH access securely is a common requirement for server management and remote development. This guide explains how to enable, secure, and troubleshoot SSH on Linux systems with practical, distributionagnostic steps.
Below is a quick reference table that summarizes key configuration items and their typical secure defaults for allowing SSH access.
| Configuration Item | Recommended Secure Value | Purpose | Notes |
|---|---|---|---|
| SSH Server Package | openssh-server | Installs the SSH daemon | Available on most distro repositories |
| Firewall Rule | Allow TCP/22 only from trusted ranges | Limits exposure to external networks | Use ufw or firewalld |
| PermitRootLogin | prohibit-password or no | Prevents direct root SSH access | Use key-based auth with a normal user |
| PasswordAuthentication | no | Enforces key-only authentication | Set to yes only for initial testing |
Install and Start the SSH Server
On most distributions, you can install the OpenSSH server package from the default repositories. This package provides the daemon and tools required to accept remote shell sessions over a secure channel.
After installation, start and enable the service so it launches automatically at boot. This ensures SSH remains available after system restarts without manual intervention.
Configure Firewall for SSH Access
Adjusting the host-based firewall is essential to allow SSH traffic while minimizing exposure. You should explicitly permit TCP port 22 (or a custom port if you have changed it) and restrict source IP ranges where possible.
Using a restrictive policy by default, then adding rules for trusted networks or admin workstations helps prevent unauthorized scanning and brute force attempts. Both ufw and firewalld support these rules with straightforward commands.
Harden SSH Server Settings
Disable Root Login and Use Key Authentication
Disabling direct root login reduces the attack surface and encourages the use of less privileged accounts combined with sudo for administrative tasks. Pair this with SSH key authentication and disable password logins for stronger security.
Change Default Port and Use Fail2ban
Moving SSH to a nonstandard port can reduce automated noise from opportunistic scans, though it is not a substitute for proper firewall rules. For additional protection, deploy fail2ban to temporarily block IPs that exhibit repeated failed login behavior.
Test and Validate SSH Connectivity
From a client machine, attempt to connect using your private key and the configured port to confirm that access works as expected. Verify that invalid credentials are rejected and that permitted users can obtain a shell without issues.
Check server-side logs for successful authentication entries and any warnings. This step ensures that the security settings do not inadvertently lock out authorized administrators.
Best Practices for Ongoing SSH Management
- Keep the OpenSSH server package updated to patch security vulnerabilities promptly.
- Use SSH keys with a strong passphrase and store them in a secure key manager when possible.
- Limit source IPs in firewall rules for administrative accounts to reduce exposure.
- Monitor auth logs regularly and integrate alerting for repeated failed login attempts.
- Consider using configuration management tools to enforce consistent hardening across servers.
FAQ
Reader questions
How do I allow SSH for specific users only?
Use the AllowUsers directive in sshd_config to list exact usernames, optionally including the host or IP. Reload the SSH daemon after editing to enforce the restriction.
What should I do if I lock myself out after changing SSH settings?
Access the server via an outofband console or provider recovery shell, revert the changes, and confirm the configuration syntax with sshd test before restarting the service again.
Is using a nonstandard port enough security on its own?
A nonstandard port reduces automated scan noise but does not replace authentication controls, firewall rules, and monitoring. Combine port changes with keybased auth and fail2ban for effective protection.
How can I verify that my SSH keys are properly authorized?
Ensure the public key is appended to ~/.ssh/authorized_keys with correct file permissions, and that sshd config does not override authentication settings. Test the connection locally and remotely to confirm login behavior.