Mastering Secure Access: Step-by-Step Guide to Installing and Configuring SSH on Ubuntu
Forget generic tutorials. This guide cuts through the noise to show you how to not only install SSH but also optimize it for security and performance on Ubuntu—empowering you to take full control of your server access.
Remote server management is essential in today’s tech world, and SSH (Secure Shell) is the tool that makes it possible—with security you can trust. If you’re running Ubuntu and want a smooth, secure SSH setup, this guide is your go-to resource. We’ll cover everything from installing the OpenSSH server to configuring it for optimal security and efficiency.
Why SSH on Ubuntu?
Ubuntu is one of the most popular Linux distributions for servers, offering stability, ease of use, and robust security features. But simply installing SSH isn’t enough. Proper configuration is critical: it ensures your remote sessions are secure from unauthorized access and that your server performs efficiently during management or automation tasks.
Step 1: Installing SSH Server on Ubuntu
What You Need:
- A running Ubuntu system (desktop or server).
- sudo privileges.
Installation Command
Open your terminal and execute:
sudo apt update
sudo apt install openssh-server
This command updates your package lists, then installs the OpenSSH server package—your gateway to remote access.
Verify SSH Server Status
Check if the ssh service is active:
sudo systemctl status ssh
You should see an output indicating active (running). If not, start the service with:
sudo systemctl start ssh
Step 2: Testing Your SSH Server Locally
Before connecting remotely, test your setup locally by attempting to connect to localhost:
ssh username@localhost
Replace username with your actual Ubuntu username. If prompted to accept a host key fingerprint, type yes and enter your password.
Step 3: Configuring Basic Security Settings in SSH
By default, OpenSSH works out of the box but has security weaknesses if left unconfigured.
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Key Parameters to Modify:
-
Disable Root Login
Root login over SSH is a big security risk. Find this line and change:
PermitRootLogin no -
Limit Authentication Methods
Password authentication is vulnerable; consider using key-based authentication (covered in Step 4).
To disable password login after setting up keys:
PasswordAuthentication no -
Change Default Port
The default port 22 can be targeted by automated attacks. Change it by modifying:
Port 2222Choose a port number between 1024 and 65535.
-
Enable Usage of AllowUsers
Restrict which users can login via SSH by adding at the end of
sshd_config:AllowUsers yourusername anotheruser
Save changes (Ctrl+O in nano), exit (Ctrl+X).
Restart SSH service for changes to take effect:
sudo systemctl restart ssh
Step 4: Setting Up Key-Based Authentication (Recommended)
Password authentication can be brute-forced. A far more secure method is using SSH keys.
Generate an SSH Key Pair on Your Local Machine
ssh-keygen -t ed25519 -C "your_email@example.com"
Press enter through prompts for defaults or set a passphrase for extra security.
Copy Your Public Key to the Server
Use ssh-copy-id tool (replace username & server_ip):
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@server_ip
Alternatively, manually append your key to ~/.ssh/authorized_keys on the server.
Test key-based login:
ssh username@server_ip -p 2222 # assuming you changed the port earlier.
If successful, disable password authentication as explained above.
Step 5: Additional Hardening Tips
- Install Fail2Ban
Protects against brute force attacks by banning IPs with multiple failed login attempts:
sudo apt install fail2ban -y
sudo systemctl enable --now fail2ban
Basic configurations are automatically applied for SSH in /etc/fail2ban/jail.local.
- Use UFW Firewall
Only allow connections via your custom SSH port:
sudo ufw allow 2222/tcp # replace with your port number.
sudo ufw enable
Verify rules with:
sudo ufw status verbose
Summary Checklist
| Task | Command / Action |
|---|---|
| Install OpenSSH Server | sudo apt install openssh-server |
| Check service status | sudo systemctl status ssh |
| Edit config file | sudo nano /etc/ssh/sshd_config |
| Disable root login | Set PermitRootLogin no |
| Change port | Set Port [custom_port] |
| Restrict users | Add AllowUsers user1 user2 |
| Setup key-based auth | Use ssh-keygen + ssh-copy-id, then disable passwords |
| Restart service | sudo systemctl restart ssh |
| Enable Fail2Ban | sudo apt install fail2ban; sudo systemctl enable --now fail2ban |
| Configure firewall | Use UFW commands as needed |
With these steps, you have now installed and locked down your Ubuntu server’s remote access using SSH — a foundational skill that bolsters any sysadmin’s arsenal.
Want more? Next time we’ll cover automating routine tasks securely over SSH!
If this guide helped you master secure access on Ubuntu, share it with fellow sysadmins or drop a comment below!