How to Configure SSH on Ubuntu

Configuring Secure Shell (SSH) on an Ubuntu machine allows you to establish a secure, encrypted connection for remote management and file transfers. This guide walks you through the essential steps of setting up an SSH server, including installation, firewall configuration, connection testing, and critical security hardening practices to protect your system from unauthorized access.

Installing the SSH Server

By default, Ubuntu desktop and some minimal server installations do not come with an active SSH server. You need to install the OpenSSH server package to enable incoming connections.

First, update your local package index to ensure you download the latest version: sudo apt update

Next, install the OpenSSH server package by running: sudo apt install openssh-server

Once the installation is complete, the SSH service will start automatically. You can verify that the service is running and active with the following command: sudo systemctl status ssh

Configuring the Firewall

Ubuntu uses the Uncomplicated Firewall (UFW) by default. If your firewall is enabled, it will block incoming SSH connections unless you explicitly create a rule to allow them.

To allow SSH traffic through UFW, execute: sudo ufw allow ssh

If you plan to change the default SSH port later, you can also allow specific ports by specifying the number: sudo ufw allow 22/tcp

After adding the rule, enable the firewall if it isn’t already active: sudo ufw enable

To confirm that the rules were applied correctly, check the firewall status: sudo ufw status

Connecting to the Ubuntu Machine

To connect to your Ubuntu machine from a remote computer, you need the Ubuntu system’s IP address and a user account with a password.

Find your local IP address by running: ip a

Look for your network interface (usually starting with “en” or “wl”) and locate the IPv4 address. Once you have the IP address, open a terminal on your remote client machine and use the following SSH command format:

ssh username@your_server_ip

Replace username with your actual Ubuntu username and your_server_ip with the IP address you located. The first time you connect, your client will ask you to accept the remote host’s fingerprint. Type yes and provide your password when prompted.

Hardening SSH Security

Leaving SSH at its default settings can expose your machine to brute-force attacks. Implementing a few basic security tweaks significantly hardens your system. All configuration changes are made in the main SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Allowing the root user to log in directly via SSH is a significant security risk. Locate the PermitRootLogin directive and change it to no: PermitRootLogin no

2. Change the Default Port

Changing the default port from 22 to a random custom port (e.g., 2222) helps reduce automated background noise and script-kitty scans. Find the Port line, uncomment it if necessary, and update the value: Port 2222

Note: If you change this port, remember to update your UFW firewall rules to allow the new port before restarting the service, otherwise you will lock yourself out.

3. Switch to SSH Key Authentication

Passwords can be guessed or brute-forced. SSH keys provide a much more secure login method.

Generate an SSH key pair on your client machine: ssh-keygen -t ed25519

Copy the public key to your Ubuntu server: ssh-copy-id username@your_server_ip

Once you verify that you can log in using your key without a password, disable password authentication entirely in /etc/ssh/sshd_config: PasswordAuthentication no

Applying Changes

Whenever you modify the /etc/ssh/sshd_config file, you must restart the SSH service for the changes to take effect: sudo systemctl restart ssh