Complete SSH Setup Guide on Ubuntu: Installation, Security Hardening, Advanced Configuration, and Troubleshooting

1. Introduction

Configuring SSH on Ubuntu is essential for managing remote servers. SSH (Secure Shell) is a protocol that provides secure encrypted communication, allowing users to access servers remotely, execute commands, and transfer files.

This article explains how to configure SSH on Ubuntu, from basic installation steps to advanced security measures.

1.1 Why Configure SSH on Ubuntu?

1.1.1 What Is SSH?

SSH (Secure Shell) is a protocol that enables secure communication over a network. It is commonly used for logging into remote servers, transferring files, and tunneling (port forwarding). Unlike traditional Telnet or FTP, SSH encrypts all communication, providing strong security.

1.1.2 When SSH Is Needed on Ubuntu

Common scenarios where SSH is used to manage Ubuntu remotely include:

• Cloud server administration: Linux servers on AWS, GCP, Vultr, and others are typically accessed via SSH.
• Remote operations in LAN environments: Accessing internal servers or development machines remotely.
• Managing IoT devices: Controlling embedded systems such as Raspberry Pi remotely.

By default, the SSH server is disabled on Ubuntu, so it must be manually installed and configured to enable SSH access.

2. Basic SSH Configuration

To use SSH on Ubuntu, you must install the SSH server (OpenSSH) and configure it properly. This section explains how to install SSH, adjust basic settings, configure the firewall, and connect to the server.

2.1 Installing and Starting OpenSSH

2.1.1 What Is OpenSSH?

OpenSSH (Open Secure Shell) is an open-source implementation of the SSH protocol. It supports remote connections, secure file transfers (SCP and SFTP), and port forwarding.

2.1.2 Installing OpenSSH

Ubuntu does not include an SSH server by default, so install it using the command below:

sudo apt update && sudo apt install -y openssh-server

This updates package lists and installs the OpenSSH server.

2.1.3 Starting SSH and Enabling Auto-Start

After installation, start the SSH server and enable automatic startup:

sudo systemctl enable --now ssh

The enable option ensures SSH starts automatically when the OS boots.

2.1.4 Checking SSH Status

Verify that SSH is running:

systemctl status ssh

If the output shows active (running), SSH is functioning normally:

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2025-02-28 12:00:00 UTC; 5min ago

If it shows inactive (dead) or failed, start SSH manually:

sudo systemctl start ssh

2.2 Configuring the Firewall (UFW)

Ubuntu includes a simple firewall called ufw (Uncomplicated Firewall). You must allow SSH connections through it.

2.2.1 Checking UFW Status

sudo ufw status

Example output (inactive):

Status: inactive

Example output (active):

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere

2.2.2 Allowing SSH

sudo ufw allow ssh

Or explicitly:

sudo ufw allow 22/tcp

2.2.3 Enabling UFW

sudo ufw enable

2.2.4 Verifying UFW Rules

sudo ufw status verbose

Example:

Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)

2.3 Basic SSH Connection Methods

Once SSH is running, connect from a client machine.

2.3.1 Connecting from Linux/macOS

ssh username@server-ip-address

Example:

ssh user@192.168.1.100

You may see a security warning on first connection:

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)?

Type yes to proceed.

2.3.2 Connecting from Windows

You can use PowerShell or PuTTY.

Using PowerShell (Windows 10+ includes SSH):

ssh username@server-ip-address

Using PuTTY:

1. Download PuTTY from the official site
2. Open PuTTY and enter the server IP in Host Name (or IP address)
3. Select SSH as the connection type
4. Click Open and log in

Conclusion

This section covered the basics of setting up SSH on Ubuntu:

• How to install and start OpenSSH
• How to allow SSH connections with UFW
• How to connect from Linux/macOS and Windows

3. Strengthening SSH Security

SSH is powerful, but leaving it with default settings increases security risks. Attackers often attempt brute-force login attempts or port scans. Strengthening SSH security is essential.

3.1 Disable Root Login

Root login provides full system control and is a major target for attackers. Disabling it improves security.

3.1.1 Steps

1. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Change the line to:

PermitRootLogin no

3. Restart SSH:

sudo systemctl restart ssh

4. Confirm the change:

sudo grep PermitRootLogin /etc/ssh/sshd_config

If the output is PermitRootLogin no, the setting is applied.

3.2 Disable Password Authentication and Use Key Authentication

Public key authentication is safer than passwords and reduces brute-force attack risks.

3.2.1 Creating SSH Keys

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

This generates two files:

• id_rsa (private key) — keep locally, never share
• id_rsa.pub (public key) — upload to server

3.2.2 Uploading the Public Key

ssh-copy-id username@server-ip-address

3.2.3 Disabling Password Authentication

sudo nano /etc/ssh/sshd_config

Edit:

PasswordAuthentication no

Restart SSH:

sudo systemctl restart ssh

3.3 Allow SSH Access Only to Specific Users

To enhance SSH security, you can restrict access so that only certain users are allowed to log in.

3.3.1 Configuration Steps

1. Open the SSH configuration file /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

2. Add users allowed to access via SSH:

AllowUsers username1 username2

3. Restart SSH to apply the settings:

sudo systemctl restart ssh

3.4 Changing the SSH Port

Because port 22 is frequently targeted by attackers, changing the default port can improve security.

3.4.1 Configuration Steps

1. Open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

2. Modify the port setting, e.g.:

Port 2200

3. Restart SSH:

sudo systemctl restart ssh

3.4.2 Updating Firewall Settings

If you change the port, update UFW:

sudo ufw allow 2200/tcp

Check the new rule:

sudo ufw status

3.5 Prevent Brute-Force Attacks with Fail2Ban

Fail2Ban detects failed login attempts and blocks the attacking IP for a specified time.

3.5.1 Install Fail2Ban

sudo apt install fail2ban -y

3.5.2 Create a Configuration File

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the file:

sudo nano /etc/fail2ban/jail.local

Modify settings:

[sshd]
enabled = true
port = 2200
maxretry = 3
findtime = 600
bantime = 3600

3.5.3 Restart Fail2Ban

sudo systemctl restart fail2ban

3.5.4 Check Ban List

sudo fail2ban-client status sshd

Conclusion

This section explained methods for enhancing SSH security:

• Disable root login
• Disable password authentication and enable key authentication
• Restrict SSH access to specific users
• Change the SSH port
• Use Fail2Ban to block unauthorized attempts

Implementing these settings helps create a secure SSH environment.

4. Advanced SSH Configuration

Once basic SSH configuration and security hardening are completed, you can move on to advanced features for improved flexibility and security. This section covers ssh.socket management (Ubuntu 22.10+), SSH tunnels, listening on multiple ports, and IP-based access control.

4.1 Using ssh.socket on Ubuntu 22.10+

In Ubuntu 22.10+, SSH may be managed by ssh.socket instead of ssh.service. This socket-based activation starts SSH only when needed, saving system resources.

4.1.1 Check ssh.socket Status

sudo systemctl status ssh.socket

Example output (enabled):

● ssh.socket - OpenSSH Server Socket
   Loaded: loaded (/lib/systemd/system/ssh.socket; enabled; vendor preset: enabled)
   Active: active (listening) since Fri 2025-02-28 12:00:00 UTC

4.1.2 Enable or Disable ssh.socket

Enable the socket:

sudo systemctl enable --now ssh.socket

Switch back to classic ssh.service:

sudo systemctl disable --now ssh.socket
sudo systemctl enable --now ssh.service

4.2 SSH Tunneling (Port Forwarding)

SSH tunneling establishes secure communication channels between local and remote systems.

4.2.1 Local Port Forwarding

Useful for securely connecting to remote databases or internal services.

Example: Access a remote MySQL server on port 3306

ssh -L 3306:localhost:3306 username@server-ip-address

4.2.2 Reverse Port Forwarding

Expose local services via a remote server.

Example: Publish local web server on remote port 8080

ssh -R 8080:localhost:80 username@server-ip-address

4.2.3 Dynamic Port Forwarding (SOCKS Proxy)

Use SSH as a SOCKS proxy for anonymous browsing.

ssh -D 1080 username@server-ip-address

4.3 Listening on Multiple Ports

SSH can listen on more than one port for flexibility across different network environments.

4.3.1 Configuration Steps

1. Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

2. Add multiple Port lines:

Port 22
Port 2200

3. Restart SSH:

sudo systemctl restart ssh

4. Allow the new port with UFW:

sudo ufw allow 2200/tcp

4.4 Allow SSH Only from Specific IP Addresses

Restricting SSH access by IP address offers strong security control.

4.4.1 Configure /etc/hosts.allow

sudo nano /etc/hosts.allow

Add a permitted IP address:

sshd: 192.168.1.100

4.4.2 Configure /etc/hosts.deny

sudo nano /etc/hosts.deny

Deny all others:

sshd: ALL

Conclusion

This section covered advanced SSH configuration topics:

• Managing ssh.socket in Ubuntu 22.10+
• Using SSH tunnels (port forwarding)
• Listening on multiple SSH ports
• Restricting SSH access to specific IP addresses

Applying these configurations enhances both security and usability.

5. SSH Troubleshooting

Even with correct configuration, SSH connections may occasionally fail. This section explains common SSH problems and their solutions.

5.1 When SSH Cannot Connect

If SSH returns Connection refused or times out, possible causes include service issues, port misconfiguration, or firewall restrictions.

5.1.1 SSH Service Is Not Running

sudo systemctl status ssh

Solution:

• If inactive or failed, restart SSH:

sudo systemctl restart ssh

• Enable auto-start:

sudo systemctl enable ssh

5.1.2 SSH Port Not Open

ssh -p 2200 username@server-ip-address

Check open ports:

sudo netstat -tulnp | grep ssh

Or:

ss -tulnp | grep ssh

5.1.3 Firewall (UFW) Blocking SSH

sudo ufw status

Allow SSH:

sudo ufw allow 22/tcp

If using a custom port:

sudo ufw allow 2200/tcp

5.2 Authentication Errors

5.2.1 Incorrect Username or Password

ssh username@server-ip-address

5.2.2 Public Key Not Installed Correctly

cat ~/.ssh/authorized_keys

Verify it matches the local id_rsa.pub.

5.2.3 Incorrect Permissions on .ssh Directory

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Also ensure:

chmod 755 /home/username

5.3 Unstable SSH Connections or Unexpected Disconnections

5.3.1 Adjust ClientAliveInterval

ClientAliveInterval 60
ClientAliveCountMax 3

sudo systemctl restart ssh

5.3.2 Adjust Local Client Settings

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

5.4 Viewing SSH Logs

5.4.1 View Real-Time Logs

sudo journalctl -u ssh -f

5.4.2 View Past Logs

sudo cat /var/log/auth.log | grep ssh

sudo grep "Failed password" /var/log/auth.log

Conclusion

This section explained common SSH issues and how to resolve them:

• Check if SSH service is running
• Verify open ports
• Check firewall settings
• Ensure correct key authentication
• Fix timeout and disconnect issues
• Analyze SSH logs

Most SSH issues originate from misconfiguration or network constraints. Use these troubleshooting steps to resolve problems efficiently.

6. FAQ (Frequently Asked Questions)

This section answers common questions related to SSH usage and configuration.

6.1 How to Fix SSH Timeout Issues?

6.1.1 Server-Side Settings

ClientAliveInterval 60
ClientAliveCountMax 3

sudo systemctl restart ssh

6.1.2 Client-Side Settings

Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3

6.2 What to Do If You Forget Your SSH Password?

6.2.1 If You Have Physical Access

1. Boot into single-user mode (select recovery mode from GRUB)
2. Reset password:

passwd username

3. Reboot the system

6.2.2 If Physical Access Is Not Possible (Cloud VPS)

• Use the VPS console provided by the hosting service
• Use public key authentication

6.3 How to Use SSH on Windows?

6.3.1 Using PowerShell

ssh username@server-ip-address

6.3.2 Using PuTTY

1. Download & install PuTTY
2. Enter server IP address into Host Name
3. Select SSH as connection type
4. Log in with username and password

6.4 How to Configure SSH on Ubuntu WSL?

6.4.1 Install SSH Server

sudo apt update && sudo apt install openssh-server

6.4.2 Modify SSH Settings

PasswordAuthentication yes

Start SSH manually (WSL does not use systemd):

sudo service ssh start

6.5 Additional Security Best Practices

6.5.1 Use Fail2Ban

sudo apt install fail2ban -y

[sshd]
enabled = true
port = 22
maxretry = 3
findtime = 600
bantime = 3600

sudo systemctl restart fail2ban

6.5.2 Change SSH Port

Port 2200

sudo ufw allow 2200/tcp

6.6 How to Monitor SSH Logs in Real Time?

sudo journalctl -u ssh -f

sudo cat /var/log/auth.log | grep ssh

6.7 Tips to Use SSH More Conveniently

6.7.1 Use .ssh/config for Simple Logins

Host myserver
    HostName 192.168.1.100
    User user
    Port 2200
    IdentityFile ~/.ssh/id_rsa

Then connect with:

ssh myserver

6.7.2 Use ssh-agent

eval $(ssh-agent -s)
ssh-add ~/.ssh/id_rsa

Conclusion

This section summarized frequently asked questions related to SSH:

• How to fix SSH timeout issues
• How to recover a forgotten password
• How to use SSH on Windows and WSL
• Security best practices
• How to check SSH logs
• Tips for making SSH more convenient using .ssh/config

By applying these techniques, you can build a secure and efficient SSH environment and manage remote servers smoothly.