Complete Guide to Ubuntu SSH Configuration | Installation, Security Enhancement, and Troubleshooting

By 佐川 直弘 | Naohiro Sagawa (運営者)

※記事内に広告を含みます。Amazonアソシエイトとして適格販売により収入を得ています。　

1. Introduction

Setting up SSH on Ubuntu is essential for managing remote servers. SSH (Secure Shell) is a protocol that provides secure encrypted communication, widely used for remote server access, command execution, and file transfers.

In this guide, we will cover everything from basic installation to advanced security configurations for SSH on Ubuntu.

1.1 Why Set Up SSH on Ubuntu?

1.1.1 What is SSH?

SSH (Secure Shell) is a protocol designed for secure communication over a network. It is commonly used for logging into remote servers, transferring files, and tunneling (port forwarding). Unlike traditional protocols like Telnet or FTP, SSH encrypts all communication, making it highly secure.

1.1.2 When Do You Need SSH on Ubuntu?

SSH is useful for remote management in various scenarios, such as:

• Managing cloud servers: Cloud services like AWS, GCP, and Vultr use SSH for remote server access.
• Remote operations in a LAN environment: Accessing internal servers or development machines via SSH for remote work.
• Managing IoT devices: Remotely controlling embedded devices like Raspberry Pi.

By default, SSH is disabled on Ubuntu. To use it, you must install and configure it manually.

2. Basic SSH Configuration

To use SSH on Ubuntu, you need to install the SSH server (OpenSSH) and configure it properly. This section covers installation, basic settings, firewall configuration, and how to connect to your server.

2.1 Installing and Starting OpenSSH

2.1.1 What is OpenSSH?

OpenSSH (Open Secure Shell) is an open-source implementation of the SSH protocol. It supports remote connections, secure file transfers (SCP and SFTP), and port forwarding.

2.1.2 Installing OpenSSH

By default, Ubuntu does not come with an SSH server pre-installed. Use the following command to install it:

sudo apt update && sudo apt install -y openssh-server

This command updates the package list and installs the OpenSSH server.

2.1.3 Starting and Enabling SSH Server

Once installed, start the SSH server and enable it to launch at boot.

sudo systemctl enable --now ssh

The enable option ensures that SSH starts automatically when the OS boots.

2.1.4 Verifying SSH Status

To check if the SSH server is running, use:

systemctl status ssh

If you see an output like the following, SSH is running correctly:

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2025-02-28 12:00:00 UTC; 5min ago

If you see inactive (dead) or failed, start the service manually:

sudo systemctl start ssh

2.2 Configuring the Firewall (UFW)

Ubuntu provides ufw (Uncomplicated Firewall) for easy firewall management. You need to configure UFW to allow SSH connections.

2.2.1 Checking UFW Status

Check the current firewall status using:

sudo ufw status

Example output (if UFW is disabled):

Status: inactive

Example output (if UFW is enabled):

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere

2.2.2 Allowing SSH Traffic

To allow SSH connections on the default port 22, run:

sudo ufw allow ssh

Alternatively, specify the port explicitly:

sudo ufw allow 22/tcp

2.2.3 Enabling UFW

If UFW is disabled, enable it with:

sudo ufw enable

Before enabling UFW, ensure SSH is allowed, or you may lock yourself out.

2.2.4 Verifying UFW Settings

Check if the firewall rules are applied correctly:

sudo ufw status verbose

Example output:

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

If you see this, SSH is allowed through the firewall.

2.3 Connecting to SSH

Once the SSH server is running, you can connect from a client PC.

2.3.1 Connecting from Linux/macOS

On Linux or macOS, open a terminal and run:

ssh username@server-ip-address

Example:

ssh user@192.168.1.100

On first connection, you may see a security warning like this:

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)?

Type yes and press Enter to proceed.

2.3.2 Connecting from Windows

On Windows, you can use **PowerShell** or **PuTTY** to connect via SSH.

Using PowerShell
Windows 10 and later include an SSH client in PowerShell. Connect with:

ssh username@server-ip-address

Using PuTTY

1. Download and install PuTTY from the official site.
2. Open PuTTY and enter the server’s IP address in Host Name (or IP address).
3. Set Connection type to SSH and click Open.
4. Enter your username and password to connect.

3. Enhancing SSH Security

SSH is a powerful tool for remote access, but leaving it with default settings can pose security risks. Attackers often target SSH servers using brute force attacks or port scanning. To create a more secure SSH environment, it is essential to apply proper security configurations.

3.1 Disabling Root Login

By default, Ubuntu may allow root login via SSH. Since the root account has full system privileges, it is a common target for attackers. Disabling root login and using a regular user account instead significantly improves security.

3.1.1 Configuration Steps

1. Edit the SSH configuration file /etc/ssh/sshd_config.

sudo nano /etc/ssh/sshd_config

2. Find the following line and change it to PermitRootLogin no.

PermitRootLogin no

3. Save the file and restart the SSH service.

sudo systemctl restart ssh

4. Verify that the setting has been applied.

sudo grep PermitRootLogin /etc/ssh/sshd_config

If the output shows PermitRootLogin no, the setting has been successfully applied.

3.2 Disabling Password Authentication and Enabling Public Key Authentication

Using public key authentication is much safer than relying on password authentication. With public key authentication, you do not need to enter a password, reducing the risk of brute force attacks.

3.2.1 Generating an SSH Key Pair

On your local PC, generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

This will create two files:

• Private key (id_rsa) → **Keep this on your local PC (never share it publicly)**.
• Public key (id_rsa.pub) → **Copy this to the server**.

3.2.2 Copying the Public Key to the Server

Use the following command to copy your public key to the server:

ssh-copy-id username@server-ip-address

3.2.3 Disabling Password Authentication

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the following line and change it to:

PasswordAuthentication no

Restart SSH to apply the changes:

sudo systemctl restart ssh

3.3 Restricting SSH Access to Specific Users

To enhance security, you can limit SSH access to specific users.

3.3.1 Configuration Steps

1. Open the SSH configuration file.

sudo nano /etc/ssh/sshd_config

2. Add the following line, specifying allowed users.

AllowUsers user1 user2

3. Restart SSH to apply the changes.

sudo systemctl restart ssh

3.4 Changing the SSH Port

The default SSH port (22) is frequently targeted by attackers. Changing it to a non-standard port can reduce the risk of automated attacks.

3.4.1 Configuration Steps

1. Open the SSH configuration file.

sudo nano /etc/ssh/sshd_config

2. Find the following line and change it to a custom port (e.g., 2200).

Port 2200

3. Save the file and restart SSH.

sudo systemctl restart ssh

3.4.2 Updating Firewall Settings

After changing the SSH port, allow the new port through UFW:

sudo ufw allow 2200/tcp

Verify the settings:

sudo ufw status

3.5 Preventing Brute Force Attacks with Fail2Ban

Fail2Ban is a tool that detects failed SSH login attempts and temporarily blocks the attacking IP address.

3.5.1 Installing Fail2Ban

sudo apt install fail2ban -y

3.5.2 Creating a Configuration File

Copy the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the configuration file:

sudo nano /etc/fail2ban/jail.local

Modify the SSH section as follows:

[sshd]
enabled = true
port = 2200
maxretry = 3
findtime = 600
bantime = 3600

3.5.3 Restarting Fail2Ban

Restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

3.5.4 Checking the Ban List

To check which IPs are banned:

sudo fail2ban-client status sshd

Summary

In this section, we covered essential SSH security enhancements, including:

• Disabling root login
• Disabling password authentication and enabling public key authentication
• Restricting SSH access to specific users
• Changing the SSH port
• Using Fail2Ban to block brute force attacks

By implementing these measures, you can create a safer SSH environment.

4. Advanced SSH Configuration

After configuring SSH security, you can take advantage of advanced settings to improve usability and security. This section covers managing ssh.socket in Ubuntu 22.10 and later, SSH tunneling (port forwarding), setting up multiple SSH ports, and restricting SSH access to specific IP addresses.

4.1 Using ssh.socket in Ubuntu 22.10 and Later

Starting with Ubuntu 22.10, SSH service management may switch from ssh.service to ssh.socket. This allows SSH to start dynamically when a connection request is received, reducing resource usage.

4.1.1 Checking ssh.socket Status

To check if ssh.socket is enabled, run:

sudo systemctl status ssh.socket

Example output (if enabled):

● ssh.socket - OpenSSH Server Socket
   Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; vendor preset: enabled)
   Active: active (listening) since Fri 2025-02-28 12:00:00 UTC

4.1.2 Enabling or Disabling ssh.socket

If ssh.socket is disabled, enable it with:

sudo systemctl enable --now ssh.socket

To revert to the traditional ssh.service, disable ssh.socket and enable ssh.service instead:

sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service

4.2 SSH Tunneling (Port Forwarding)

SSH tunneling allows secure data transmission between a remote server and a local PC, bypassing external networks.

4.2.1 Local Port Forwarding

Useful for accessing remote databases or web servers securely.

Example: Connecting to a remote MySQL server (port 3306) from your local PC

ssh -L 3306:localhost:3306 username@server-ip-address

4.2.2 Remote Port Forwarding

Exposes a local service to a remote server through SSH.

Example: Forwarding a local web server (port 80) to port 8080 on a remote server

ssh -R 8080:localhost:80 username@server-ip-address

4.2.3 Dynamic Port Forwarding

Turns SSH into a SOCKS proxy for anonymous web browsing.

Example: Creating a SOCKS proxy on local port 1080

ssh -D 1080 username@server-ip-address

4.3 Listening on Multiple SSH Ports

By default, SSH listens on one port (port 22). Configuring multiple ports allows access flexibility.

4.3.1 Configuration Steps

1. Edit the SSH configuration file.

sudo nano /etc/ssh/sshd_config

2. Add multiple port entries.

Port 22
Port 2200

3. Restart SSH.

sudo systemctl restart ssh

4. Allow the new port in the firewall.

sudo ufw allow 2200/tcp

4.4 Restricting SSH Access to Specific IP Addresses

To enhance security, you can limit SSH access to specific IP addresses.

4.4.1 Configuring /etc/hosts.allow

Allow SSH access only from certain IP addresses by editing:

sudo nano /etc/hosts.allow

Add the following line (replace 192.168.1.100 with the allowed IP address):

sshd: 192.168.1.100

4.4.2 Configuring /etc/hosts.deny

To block all other IPs by default:

sudo nano /etc/hosts.deny

sshd: ALL

This ensures that only IPs listed in hosts.allow can access SSH.

Summary

This section covered advanced SSH settings, including:

• Managing ssh.socket in Ubuntu 22.10 and later
• Using SSH tunneling (port forwarding) for secure connections
• Listening on multiple SSH ports
• Restricting SSH access to specific IPs

Applying these settings improves SSH security and usability.

5. Troubleshooting SSH Issues

Even with proper configuration, SSH issues may arise. This section provides solutions to common SSH problems.

5.1 Unable to Connect to SSH

If you get a Connection refused or timeout error, check the following.

5.1.1 SSH Service is Not Running

Verify the SSH service status:

sudo systemctl status ssh

Solution:

• If Active: inactive (dead) or failed, restart SSH.

sudo systemctl restart ssh

• Enable SSH to start automatically.

sudo systemctl enable ssh

5.1.2 Firewall is Blocking SSH

Ensure SSH is allowed through UFW:

sudo ufw status

Solution: If SSH is not allowed:

sudo ufw allow 22/tcp

If using a custom port:

sudo ufw allow 2200/tcp

5.2 Authentication Errors

If SSH rejects login attempts, check the following:

5.2.1 Incorrect Username or Password

Ensure you are using the correct username:

ssh username@server-ip-address

5.2.2 Public Key Authentication Issues

Verify that your public key is correctly stored in ~/.ssh/authorized_keys.

cat ~/.ssh/authorized_keys

5.2.3 Incorrect Permissions

Ensure SSH directory and files have correct permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Summary

This section covered common SSH issues and their solutions, including:

• Checking if SSH is running
• Ensuring the firewall is not blocking SSH
• Fixing authentication issues

Use these troubleshooting steps to quickly resolve SSH connection problems.

6. FAQ (Frequently Asked Questions)

This section addresses common SSH-related questions and solutions to improve your SSH experience while maintaining security.

6.1 How to Prevent SSH Timeouts?

If SSH connections disconnect after a period of inactivity, try the following settings.

6.1.1 Server-Side Configuration

Edit /etc/ssh/sshd_config and add:

ClientAliveInterval 60
ClientAliveCountMax 3

Restart SSH to apply the changes:

sudo systemctl restart ssh

6.1.2 Client-Side Configuration

Modify the local SSH configuration file ~/.ssh/config:

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

6.2 What to Do If I Forget My SSH Password?

6.2.1 If You Have Physical Access to the Server

1. Boot into recovery mode via the GRUB menu.
2. Reset the password with the following command:

passwd username

3. Restart the system.

6.2.2 If You Cannot Access the Server Physically (e.g., Cloud VPS)

• Use the cloud provider’s console feature to access the server.
• Set up SSH key authentication instead of relying on passwords.

6.3 How to Use SSH on Windows?

6.3.1 Using PowerShell

Windows 10 and later include a built-in SSH client. Open PowerShell and run:

ssh username@server-ip-address

6.3.2 Using PuTTY

1. Download and install PuTTY.
2. Enter the server’s IP in Host Name (or IP address).
3. Select SSH as the connection type and click Open.
4. Log in with your username and password.

6.4 How to Set Up SSH in Ubuntu WSL (Windows Subsystem for Linux)?

To enable SSH on WSL, follow these steps.

6.4.1 Installing SSH Server

sudo apt update && sudo apt install openssh-server

6.4.2 Configuring SSH

Edit /etc/ssh/sshd_config and enable password authentication:

PasswordAuthentication yes

Since WSL does not use systemd by default, start SSH manually:

sudo service ssh start

6.5 What Additional Security Measures Should I Take?

6.5.1 Installing Fail2Ban

Prevent brute-force attacks by installing Fail2Ban:

sudo apt install fail2ban -y

Edit the configuration file /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 22
maxretry = 3
findtime = 600
bantime = 3600

Restart Fail2Ban:

sudo systemctl restart fail2ban

6.5.2 Changing SSH Port

Modify /etc/ssh/sshd_config to change the default SSH port:

Port 2200

Restart SSH and update the firewall settings:

sudo ufw allow 2200/tcp

6.6 How to Monitor SSH Logs in Real-Time?

To view SSH logs in real-time, use:

sudo journalctl -u ssh -f

To check past logs:

sudo cat /var/log/auth.log | grep ssh

6.7 How to Make SSH More Convenient?

6.7.1 Using .ssh/config for Easy Login

Save frequently used SSH connections in ~/.ssh/config:

Host myserver
    HostName 192.168.1.100
    User user
    Port 2200
    IdentityFile ~/.ssh/id_rsa

Now you can connect with:

ssh myserver

6.7.2 Using ssh-agent to Avoid Repeated Password Entry

Run:

eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa

This allows SSH connections without entering the passphrase every time.

Summary

This section provided answers to common SSH-related questions, covering:

• Preventing SSH timeouts
• Recovering from a forgotten password
• Using SSH on Windows and WSL
• Applying additional security measures
• Monitoring SSH logs
• Making SSH usage more convenient

By following these tips, you can create a secure and efficient SSH environment for remote server management.

Related Articles