Enabling the SSH service on Ubuntu systems allows secure remote administration and automation workflows directly from the network. This guide walks through practical steps, configuration details, and operational best practices for activating and hardening sshd access.
Use the following table for a concise overview of service status, ports, configurations, and security recommendations when you enable sshd on Ubuntu.
| Aspect | Default Value | Recommended Secure Value | Notes |
|---|---|---|---|
| Service Name | ssh | ssh | Managed by systemd as ssh.service |
| Listening Port | 22/tcp | Custom high port (e.g., 2222–65535) | Avoid well-known ports only if you have firewall rules |
| Protocol | 2 | 2 | SSHv1 is deprecated; keep Protocol 2 |
| PermitRootLogin | prohibit-password | no | Disable direct root login; use sudo instead |
| PasswordAuthentication | yes | no | Use SSH keys with passphrases for stronger auth |
| X11Forwarding | no | no | Set to yes only if GUI forwarding is explicitly needed |
| MaxAuthTries | 6 | 3–4 | Lower values reduce brute-force window |
| AllowUsers / AllowGroups | All authenticated users | Specific users or groups | Limit access to required admin and deploy accounts |
Enable and Start sshd on Ubuntu
Before any configuration, ensure the OpenSSH server package is installed and the service is actively running. On Ubuntu, the systemd unit manages sshd lifecycle and integrates with the firewall.
Use systemctl to check current status and then enable sshd to start at boot, followed by starting it immediately if the server is already configured for remote access.
Configure sshd Securely
Once enabled, apply security-focused changes to the main sshd configuration file located at /etc/ssh/sshd_config. These adjustments help reduce exposure and enforce least-privilege access.
Apply options such as disabling root login, enforcing key-based authentication, and narrowing allowed users or groups to control who can reach the system over SSH.
Firewall and Port Management
After you enable sshd, align your firewall rules with the chosen SSH port and administrative policies. Ubuntu commonly uses ufw, which provides a straightforward interface for allowing service entries and restricting source addresses.
Restrict SSH access to administration networks or bastion hosts when possible, and avoid broad rules that expose the service to the entire internet without additional protections.
Service Monitoring and Maintenance
Ongoing maintenance includes verifying configuration syntax, monitoring authentication logs, and rotating keys when personnel or automation accounts change. Regular reviews of active connections and PermitEmptyPasswords settings help maintain a resilient posture.
Plan updates to the OpenSSH package alongside system patches, and validate service behavior after each modification to prevent accidental lockouts or disruptions.
Operational Best Practices and Key Takeaways
- Always enable and start sshd with systemctl to integrate cleanly with Ubuntu service management.
- Apply secure defaults in sshd_config, including key-based auth and disabling root login.
- Align firewall rules with your chosen SSH port and scope allowed sources tightly.
- Monitor logs and rotate credentials regularly to detect or prevent unauthorized access.
- Validate changes in a maintenance window or via console access to avoid accidental lockouts.
FAQ
Reader questions
How do I enable sshd at boot and start it right now on Ubuntu?
Run sudo systemctl enable ssh to configure the service for automatic start, then sudo systemctl start ssh to launch it immediately, and sudo systemctl status ssh to verify it is active.
What is the default SSH port on Ubuntu and should I change it?
The default SSH port is 22; changing it can reduce automated noise, but rely on firewall rules and hardening instead of port obscurity for real security.
How can I restrict SSH access to specific users on Ubuntu?
Use AllowUsers or AllowGroups in /etc/ssh/sshd_config and reload sshd so only the specified accounts or groups can authenticate over SSH.
Why does my Ubuntu server not accept SSH connections after I changed the config?
Check syntax with sudo sshd -t, verify the firewall allows the listening port, ensure sshd is running via systemctl status ssh, and inspect logs in /var/log/auth.log for authentication or listening issues.