Mastering OpenSSH Installation on Ubuntu: A Step-by-Step Guide for Secure Server Access

Forget generic tutorials; this guide breaks down the exact commands, common pitfalls, and security tweaks to get OpenSSH running flawlessly on Ubuntu—ideal for sysadmins who value precision and control.

In today’s cloud-powered world, secure remote access to servers is non-negotiable. OpenSSH is the gold standard for remote management on Linux systems, especially Ubuntu servers. Whether you’re setting up a fresh server or hardening an existing one, mastering the installation and configuration of OpenSSH ensures your infrastructure remains both accessible and secure.

In this post, we’ll dive into the practical steps to install OpenSSH on Ubuntu, verify its operation, and implement key security practices to keep your server resilient against unauthorized access.

Why OpenSSH?

OpenSSH provides encrypted communication channels allowing you to remotely log into your Ubuntu server securely. Compared to alternatives like Telnet or RDP (which are less common in Linux), OpenSSH ensures data confidentiality, integrity, and authentication — all essential for trustworthy server management.

Step 1: Update Your Server Packages

Before installing any new software, always update your package list to ensure you’re getting the latest versions:

sudo apt update && sudo apt upgrade -y

This updates your package repositories and installs available updates. Keeping packages up-to-date minimizes vulnerabilities.

Step 2: Install the OpenSSH Server Package

To enable SSH access, you need the OpenSSH server running on your machine. Install it with:

sudo apt install openssh-server -y

The openssh-server package includes everything needed to run an SSH daemon (sshd) that listens for incoming connections.

Step 3: Verify the SSH Service Status

After installation, systemd usually starts the SSH service automatically. Check if SSH is active with:

sudo systemctl status ssh

You should see output similar to:

● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since ...

If it’s not running, start it manually:

sudo systemctl start ssh

And enable it at boot time:

sudo systemctl enable ssh

Step 4: Configure Your Firewall to Allow SSH Connections

If you’re running UFW (Uncomplicated Firewall), ensure SSH traffic is permitted:

sudo ufw allow ssh
sudo ufw enable   # Only if firewall isn’t already active
sudo ufw status

Confirm that SSH port 22 is allowed through your firewall.

Step 5: Test SSH Connection Locally

Test that you can connect via SSH on your own machine before trying remotely:

ssh localhost

If successful, you’ll be prompted for your user password and then logged into your own session via SSH.

Optional but Recommended Security Tweaks

Change Default SSH Port

Changing from default port 22 reduces automated bot attacks:

1. Edit /etc/ssh/sshd_config with a text editor such as nano:

   sudo nano /etc/ssh/sshd_config
   

2. Find the line:

   #Port 22
   

3. Uncomment it (remove #) and change 22 to a port of your choice—e.g., 2222:

   Port 2222
   

4. Save and exit (Ctrl + O, Enter, Ctrl + X).

5. Adjust firewall rules accordingly:

   sudo ufw allow 2222/tcp
   sudo ufw delete allow ssh    # Removes old rule for port 22 if desired
   

6. Restart SSH service:

   sudo systemctl restart ssh
   

Remember to specify the custom port when connecting:

ssh -p 2222 user@server_ip

Disable Root Login Over SSH

Edit /etc/ssh/sshd_config again and set:

PermitRootLogin no

Restart sshd afterward.

Use Key-Based Authentication Instead of Passwords (Highly Recommended)

1. On your local machine, generate an SSH key pair if you don't have one already:

ssh-keygen -t ed25519 -C "your_email@example.com"
# Or use rsa for compatibility:
# ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

1. Copy the public key to the Ubuntu server (replace user@server_ip):

ssh-copy-id user@server_ip

1. Test connection; password prompt should not appear after key setup:

ssh user@server_ip

To enforce key-based authentication only, edit /etc/ssh/sshd_config and set:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no 

Then restart SSH.

Common Pitfalls & Troubleshooting

• Firewall blocks connection: Confirm correct UFW rules exist.
• Forgot custom SSH port: Use command history or check /etc/ssh/sshd_config.
• Service not starting: Check logs via journalctl -u ssh for error details.
• SELinux/AppArmor interfering: While Ubuntu defaults are typically permissive for sshd, some setups might require configuration tweaks.

Wrapping Up

OpenSSH remains indispensable for secure Ubuntu server management. The steps covered here – from installation through practical security hardening – provide a foundational workflow trusted by sysadmins globally.

By maintaining precise control over your OpenSSH setup, you ensure that every remote connection into your Ubuntu environment is both smooth and safe—eliminating guesswork and minimizing risks.

Go ahead — get hands-on with these commands today on your own Ubuntu instance! Your future self (and all users) will thank you for creating such a secure gateway into your infrastructure.

Happy Securing!
For further exploration consider tuning SSH settings like login grace time or enabling two-factor authentication alongside OpenSSH keys as next steps in hardening access!

If you found this guide helpful or want more practical Linux tutorials tailored to busy IT pros, subscribe below or leave a comment with topics you'd like covered next!