Configure SSH to Listen on Specific IP Ubuntu

By default, the SSH daemon (sshd) on Ubuntu Linux listens on all available network interfaces. This guide provides a step-by-step walkthrough on how to configure SSH to secure your server by restricting it to listen only on a specific network interface or IP address, preventing unauthorized access from other networks.

Step 1: Find the IP Address of the Target Interface

Before modifying your SSH configuration, you need to identify the IP address of the specific network interface you want SSH to bind to. Run the following command in your terminal:

ip addr show

Locate the interface you want to use (for example, eth0 or enp3s0) and note its IPv4 or IPv6 address (e.g., 192.168.1.50).

Step 2: Edit the SSH Configuration File

The main configuration file for the SSH daemon is located at /etc/ssh/sshd_config. Open this file with root privileges using a text editor such as nano:

sudo nano /etc/ssh/sshd_config

Step 3: Configure the ListenAddress Directive

Scroll through the file to find the line containing #ListenAddress 0.0.0.0. By default, this line is commented out with a # symbol, meaning SSH listens on all IPv4 addresses.

  1. Uncomment the line by removing the # symbol.
  2. Replace 0.0.0.0 with the specific IP address of your chosen interface.
ListenAddress 192.168.1.50

If you also want SSH to listen on a specific IPv6 address, uncomment the #ListenAddress :: line and replace :: with your specific IPv6 address:

ListenAddress fe80::215:5dff:fe00:1122

Save the changes and exit the editor (in nano, press Ctrl+O, Enter, then Ctrl+X).

Step 4: Test the Configuration

Before restarting the SSH service, it is highly recommended to test the configuration file for syntax errors to avoid locking yourself out of the server.

sudo sshd -t

If this command returns no output, your configuration is valid.

Step 5: Restart the SSH Service

Apply the changes by restarting the SSH service using systemctl:

sudo systemctl restart ssh

Step 6: Verify the Changes

To confirm that SSH is now only listening on the specified IP address, run the following ss command:

sudo ss -tulpn | grep sshd

The output should show sshd binding only to your specified IP address (e.g., 192.168.1.50:22) instead of the wildcard *:22 or 0.0.0.0:22.